Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ot7EdLwo881ajbV.exe

Overview

General Information

Sample name:Ot7EdLwo881ajbV.exe
Analysis ID:1538476
MD5:f99cdd71043a75d4fe553fb39de6d3e5
SHA1:28d123dd5f049724ec34cea59a73fb7385b3f904
SHA256:356dd4d1abe930b8189e5d5a1870c6a70236a12db73b24c19d0e461056c15dfa
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses ipconfig to lookup or modify the Windows network settings
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Ot7EdLwo881ajbV.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe" MD5: F99CDD71043A75D4FE553FB39DE6D3E5)
    • Ot7EdLwo881ajbV.exe (PID: 7908 cmdline: "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe" MD5: F99CDD71043A75D4FE553FB39DE6D3E5)
      • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • ipconfig.exe (PID: 7972 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
          • cmd.exe (PID: 8032 cmdline: /c del "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ractice-eiddyy.xyz/dr14/"], "decoy": ["ypewriter.pro", "conoficina.shop", "etrules.net", "bwuc-ball.xyz", "obis.xyz", "tpbuncistoto.xyz", "lhakikas.net", "long-ybzxgm.xyz", "ray-east.xyz", "hild-rbfij.xyz", "imself-kyac.xyz", "ftuu-government.xyz", "om-tracksi.top", "olicy-yzipy.xyz", "ntalaxlesbabbool.cfd", "ingleyou.top", "ieryfiertzframing.cfd", "pon-nacgrz.xyz", "aomei515.top", "alzgroup.net", "7032.vip", "evel100slot.pro", "ideplace.click", "jxjxj.lat", "ransplant-la1am-hair.today", "pkge-last.xyz", "rniesphotos.net", "uildbin.net", "lobalwealth.institute", "inairo.pro", "oneydewsolutions.net", "8630.photo", "udience-mgiq.xyz", "xpressdiamondscar.shop", "umberlestari.net", "itringmorbiermugient.cfd", "yegle.net", "aaqn-safe.xyz", "resident-clvedb.xyz", "ltj-democratic.xyz", "a-tickets45.top", "adgeter.xyz", "ig02sp5gbps11-mnqrsd.xyz", "dtqu.shop", "qctdb-race.xyz", "test-octopus.click", "pioux.xyz", "idde.shop", "ronereagerereaver.cfd", "lo4zj.top", "hikiss.net", "reast-augmentation12.live", "uxj-include.xyz", "onnectdesert.click", "vailable-qopsca.xyz", "ery-ghlbqs.xyz", "88886.net", "useinidismyerbas.cfd", "iadomus.net", "ymoviz2012.pro", "kin-tozde.xyz", "pon-nmlkk.xyz", "ywquo.top", "onoyekorerolaothoe.cfd"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Ot7EdLwo881ajbV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Ot7EdLwo881ajbV.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.Ot7EdLwo881ajbV.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          4.2.Ot7EdLwo881ajbV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.Ot7EdLwo881ajbV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 14 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ractice-eiddyy.xyz/dr14/"], "decoy": ["ypewriter.pro", "conoficina.shop", "etrules.net", "bwuc-ball.xyz", "obis.xyz", "tpbuncistoto.xyz", "lhakikas.net", "long-ybzxgm.xyz", "ray-east.xyz", "hild-rbfij.xyz", "imself-kyac.xyz", "ftuu-government.xyz", "om-tracksi.top", "olicy-yzipy.xyz", "ntalaxlesbabbool.cfd", "ingleyou.top", "ieryfiertzframing.cfd", "pon-nacgrz.xyz", "aomei515.top", "alzgroup.net", "7032.vip", "evel100slot.pro", "ideplace.click", "jxjxj.lat", "ransplant-la1am-hair.today", "pkge-last.xyz", "rniesphotos.net", "uildbin.net", "lobalwealth.institute", "inairo.pro", "oneydewsolutions.net", "8630.photo", "udience-mgiq.xyz", "xpressdiamondscar.shop", "umberlestari.net", "itringmorbiermugient.cfd", "yegle.net", "aaqn-safe.xyz", "resident-clvedb.xyz", "ltj-democratic.xyz", "a-tickets45.top", "adgeter.xyz", "ig02sp5gbps11-mnqrsd.xyz", "dtqu.shop", "qctdb-race.xyz", "test-octopus.click", "pioux.xyz", "idde.shop", "ronereagerereaver.cfd", "lo4zj.top", "hikiss.net", "reast-augmentation12.live", "uxj-include.xyz", "onnectdesert.click", "vailable-qopsca.xyz", "ery-ghlbqs.xyz", "88886.net", "useinidismyerbas.cfd", "iadomus.net", "ymoviz2012.pro", "kin-tozde.xyz", "pon-nmlkk.xyz", "ywquo.top", "onoyekorerolaothoe.cfd"]}
          Multi AV Scanner detection for submitted file
          Source: Ot7EdLwo881ajbV.exeReversingLabs: Detection: 28%
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Ot7EdLwo881ajbV.exeJoe Sandbox ML: detected
          Source: Ot7EdLwo881ajbV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Ot7EdLwo881ajbV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: ipconfig.pdb source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419016125.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001178000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419016125.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001178000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Wovy.pdb source: Ot7EdLwo881ajbV.exe
          Source: Binary string: wntdll.pdbUGP source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1423548845.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1418648965.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Ot7EdLwo881ajbV.exe, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000006.00000003.1423548845.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1418648965.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: Wovy.pdbSHA256 source: Ot7EdLwo881ajbV.exe
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4x nop then pop esi4_2_004172F2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4x nop then pop edi4_2_00416CC0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4x nop then pop edi4_2_00417D7D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi6_2_007272F2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi6_2_00726CC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi6_2_00727D7D

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ractice-eiddyy.xyz/dr14/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.adgeter.xyz
          Source: DNS query: www.olicy-yzipy.xyz
          Source: DNS query: www.pon-nacgrz.xyz
          Source: DNS query: www.bwuc-ball.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.alzgroup.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ieryfiertzframing.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.bwuc-ball.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.adgeter.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.pon-nacgrz.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olicy-yzipy.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lhakikas.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oneydewsolutions.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ntalaxlesbabbool.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ypewriter.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.iadomus.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.alzgroup.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ieryfiertzframing.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.bwuc-ball.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.adgeter.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.pon-nacgrz.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olicy-yzipy.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lhakikas.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oneydewsolutions.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ntalaxlesbabbool.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ypewriter.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.iadomus.net replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
          Source: global trafficDNS traffic detected: DNS query: www.oneydewsolutions.net
          Source: global trafficDNS traffic detected: DNS query: www.adgeter.xyz
          Source: global trafficDNS traffic detected: DNS query: www.lhakikas.net
          Source: global trafficDNS traffic detected: DNS query: www.olicy-yzipy.xyz
          Source: global trafficDNS traffic detected: DNS query: www.pon-nacgrz.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ypewriter.pro
          Source: global trafficDNS traffic detected: DNS query: www.bwuc-ball.xyz
          Source: global trafficDNS traffic detected: DNS query: www.iadomus.net
          Source: global trafficDNS traffic detected: DNS query: www.alzgroup.net
          Source: global trafficDNS traffic detected: DNS query: www.ieryfiertzframing.cfd
          Source: global trafficDNS traffic detected: DNS query: www.ntalaxlesbabbool.cfd
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274265821.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274265821.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274265821.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274265821.0000000007306000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000005.00000002.3773443635.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3773414956.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1372069344.0000000007C70000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adgeter.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adgeter.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adgeter.xyz/dr14/www.lhakikas.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adgeter.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alzgroup.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alzgroup.net/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alzgroup.net/dr14/www.ieryfiertzframing.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alzgroup.netReferer:
          Source: explorer.exe, 00000005.00000003.2272269182.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271807121.000000000C430000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1375956423.000000000C3F7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bwuc-ball.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bwuc-ball.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bwuc-ball.xyz/dr14/www.iadomus.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bwuc-ball.xyzReferer:
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iadomus.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iadomus.net/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iadomus.net/dr14/www.alzgroup.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iadomus.netReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ieryfiertzframing.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ieryfiertzframing.cfd/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ieryfiertzframing.cfd/dr14/www.ntalaxlesbabbool.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ieryfiertzframing.cfdReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lhakikas.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lhakikas.net/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lhakikas.net/dr14/www.olicy-yzipy.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lhakikas.netReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ltj-democratic.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ltj-democratic.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ltj-democratic.xyz/dr14/www.onoyekorerolaothoe.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ltj-democratic.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntalaxlesbabbool.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntalaxlesbabbool.cfd/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntalaxlesbabbool.cfd/dr14/www.ltj-democratic.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntalaxlesbabbool.cfdReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olicy-yzipy.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olicy-yzipy.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olicy-yzipy.xyz/dr14/www.pioux.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olicy-yzipy.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oneydewsolutions.net
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oneydewsolutions.net/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oneydewsolutions.net/dr14/www.adgeter.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oneydewsolutions.netReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onoyekorerolaothoe.cfd
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onoyekorerolaothoe.cfd/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onoyekorerolaothoe.cfd/dr14/www.test-octopus.click
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onoyekorerolaothoe.cfdReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pioux.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pioux.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pioux.xyz/dr14/www.pon-nacgrz.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pioux.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pon-nacgrz.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pon-nacgrz.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pon-nacgrz.xyz/dr14/www.ypewriter.pro
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pon-nacgrz.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractice-eiddyy.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractice-eiddyy.xyz/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractice-eiddyy.xyz/dr14/P
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractice-eiddyy.xyzReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.test-octopus.click
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.test-octopus.click/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.test-octopus.click/dr14/www.ractice-eiddyy.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.test-octopus.clickReferer:
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ypewriter.pro
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ypewriter.pro/dr14/
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ypewriter.pro/dr14/www.bwuc-ball.xyz
          Source: explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ypewriter.proReferer:
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000005.00000003.2272963365.0000000008DAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000005.00000002.3771427420.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000005.00000003.2273487584.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
          Source: explorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000005.00000002.3771427420.00000000071A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Ot7EdLwo881ajbV.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: Ot7EdLwo881ajbV.exe PID: 7908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 7972, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A330 NtCreateFile,4_2_0041A330
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A3E0 NtReadFile,4_2_0041A3E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A460 NtClose,4_2_0041A460
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A510 NtAllocateVirtualMemory,4_2_0041A510
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A32F NtCreateFile,4_2_0041A32F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A45A NtClose,4_2_0041A45A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A42B NtReadFile,4_2_0041A42B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A50B NtAllocateVirtualMemory,4_2_0041A50B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041A58A NtAllocateVirtualMemory,4_2_0041A58A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642B60 NtClose,LdrInitializeThunk,4_2_01642B60
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01642BF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642AD0 NtReadFile,LdrInitializeThunk,4_2_01642AD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_01642D30
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642D10 NtMapViewOfSection,LdrInitializeThunk,4_2_01642D10
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01642DF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642DD0 NtDelayExecution,LdrInitializeThunk,4_2_01642DD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01642C70
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_01642CA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642F30 NtCreateSection,LdrInitializeThunk,4_2_01642F30
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642FE0 NtCreateFile,LdrInitializeThunk,4_2_01642FE0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642FB0 NtResumeThread,LdrInitializeThunk,4_2_01642FB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01642F90
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01642EA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_01642E80
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01644340 NtSetContextThread,4_2_01644340
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01644650 NtSuspendThread,4_2_01644650
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642BE0 NtQueryValueKey,4_2_01642BE0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642BA0 NtEnumerateValueKey,4_2_01642BA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642B80 NtQueryInformationFile,4_2_01642B80
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642AF0 NtWriteFile,4_2_01642AF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642AB0 NtWaitForSingleObject,4_2_01642AB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642D00 NtSetInformationFile,4_2_01642D00
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642DB0 NtEnumerateKey,4_2_01642DB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642C60 NtCreateKey,4_2_01642C60
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642C00 NtQueryInformationProcess,4_2_01642C00
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642CF0 NtOpenProcess,4_2_01642CF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642CC0 NtQueryVirtualMemory,4_2_01642CC0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642F60 NtCreateProcessEx,4_2_01642F60
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642FA0 NtQuerySection,4_2_01642FA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642E30 NtWriteVirtualMemory,4_2_01642E30
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642EE0 NtQueueApcThread,4_2_01642EE0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01643010 NtOpenDirectoryObject,4_2_01643010
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01643090 NtSetValueKey,4_2_01643090
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016435C0 NtCreateMutant,4_2_016435C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016439B0 NtGetContextThread,4_2_016439B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01643D70 NtOpenThread,4_2_01643D70
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01643D10 NtOpenProcessToken,4_2_01643D10
          Source: C:\Windows\explorer.exeCode function: 5_2_1169F232 NtCreateFile,5_2_1169F232
          Source: C:\Windows\explorer.exeCode function: 5_2_116A0E12 NtProtectVirtualMemory,5_2_116A0E12
          Source: C:\Windows\explorer.exeCode function: 5_2_116A0E0A NtProtectVirtualMemory,5_2_116A0E0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152B60 NtClose,LdrInitializeThunk,6_2_03152B60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152AD0 NtReadFile,LdrInitializeThunk,6_2_03152AD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152F30 NtCreateSection,LdrInitializeThunk,6_2_03152F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152FE0 NtCreateFile,LdrInitializeThunk,6_2_03152FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_03152EA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03152D10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152DD0 NtDelayExecution,LdrInitializeThunk,6_2_03152DD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03152DF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03152C70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152C60 NtCreateKey,LdrInitializeThunk,6_2_03152C60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03152CA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031535C0 NtCreateMutant,LdrInitializeThunk,6_2_031535C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03154340 NtSetContextThread,6_2_03154340
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03154650 NtSuspendThread,6_2_03154650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152B80 NtQueryInformationFile,6_2_03152B80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152BA0 NtEnumerateValueKey,6_2_03152BA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152BF0 NtAllocateVirtualMemory,6_2_03152BF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152BE0 NtQueryValueKey,6_2_03152BE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152AB0 NtWaitForSingleObject,6_2_03152AB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152AF0 NtWriteFile,6_2_03152AF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152F60 NtCreateProcessEx,6_2_03152F60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152F90 NtProtectVirtualMemory,6_2_03152F90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152FB0 NtResumeThread,6_2_03152FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152FA0 NtQuerySection,6_2_03152FA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152E30 NtWriteVirtualMemory,6_2_03152E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152E80 NtReadVirtualMemory,6_2_03152E80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152EE0 NtQueueApcThread,6_2_03152EE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152D00 NtSetInformationFile,6_2_03152D00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152D30 NtUnmapViewOfSection,6_2_03152D30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152DB0 NtEnumerateKey,6_2_03152DB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152C00 NtQueryInformationProcess,6_2_03152C00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152CC0 NtQueryVirtualMemory,6_2_03152CC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03152CF0 NtOpenProcess,6_2_03152CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03153010 NtOpenDirectoryObject,6_2_03153010
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03153090 NtSetValueKey,6_2_03153090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031539B0 NtGetContextThread,6_2_031539B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03153D10 NtOpenProcessToken,6_2_03153D10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03153D70 NtOpenThread,6_2_03153D70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A330 NtCreateFile,6_2_0072A330
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A3E0 NtReadFile,6_2_0072A3E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A460 NtClose,6_2_0072A460
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A32F NtCreateFile,6_2_0072A32F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A45A NtClose,6_2_0072A45A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072A42B NtReadFile,6_2_0072A42B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,6_2_02FD9BAF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,6_2_02FDA036
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_02FD9BB2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDA042 NtQueryInformationProcess,6_2_02FDA042
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_0228DE8C0_2_0228DE8C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C845F0_2_069C845F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C84700_2_069C8470
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C65080_2_069C6508
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069CCF080_2_069CCF08
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C6D780_2_069C6D78
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C88A80_2_069C88A8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C69300_2_069C6930
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 0_2_069C69400_2_069C6940
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041EA9E4_2_0041EA9E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041E4B74_2_0041E4B7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041ED694_2_0041ED69
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00409E5C4_2_00409E5C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00409E604_2_00409E60
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041EE024_2_0041EE02
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016981584_2_01698158
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016001004_2_01600100
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AA1184_2_016AA118
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C81CC4_2_016C81CC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D01AA4_2_016D01AA
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C41A24_2_016C41A2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A20004_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CA3524_2_016CA352
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D03E64_2_016D03E6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E3F04_2_0161E3F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B02744_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016902C04_2_016902C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016105354_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D05914_2_016D0591
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C24464_2_016C2446
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B44204_2_016B4420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BE4F64_2_016BE4F6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016107704_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016347504_2_01634750
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160C7C04_2_0160C7C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162C6E04_2_0162C6E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016269624_2_01626962
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A04_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016DA9A64_2_016DA9A6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161A8404_2_0161A840
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016128404_2_01612840
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E8F04_2_0163E8F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F68B84_2_015F68B8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CAB404_2_016CAB40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C6BD74_2_016C6BD7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160EA804_2_0160EA80
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161AD004_2_0161AD00
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016ACD1F4_2_016ACD1F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160ADE04_2_0160ADE0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01628DBF4_2_01628DBF
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610C004_2_01610C00
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600CF24_2_01600CF2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0CB54_2_016B0CB5
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01684F404_2_01684F40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01652F284_2_01652F28
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01630F304_2_01630F30
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B2F304_2_016B2F30
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161CFE04_2_0161CFE0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01602FC84_2_01602FC8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168EFA04_2_0168EFA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610E594_2_01610E59
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CEE264_2_016CEE26
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CEEDB4_2_016CEEDB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622E904_2_01622E90
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CCE934_2_016CCE93
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016DB16B4_2_016DB16B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0164516C4_2_0164516C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FF1724_2_015FF172
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161B1B04_2_0161B1B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C70E94_2_016C70E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CF0E04_2_016CF0E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016170C04_2_016170C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BF0CC4_2_016BF0CC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FD34C4_2_015FD34C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C132D4_2_016C132D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0165739A4_2_0165739A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B12ED4_2_016B12ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162B2C04_2_0162B2C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016152A04_2_016152A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C75714_2_016C7571
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D95C34_2_016D95C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AD5B04_2_016AD5B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016014604_2_01601460
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CF43F4_2_016CF43F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CF7B04_2_016CF7B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016556304_2_01655630
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C16CC4_2_016C16CC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016199504_2_01619950
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162B9504_2_0162B950
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A59104_2_016A5910
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167D8004_2_0167D800
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016138E04_2_016138E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CFB764_2_016CFB76
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01685BF04_2_01685BF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0164DBF94_2_0164DBF9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162FB804_2_0162FB80
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01683A6C4_2_01683A6C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CFA494_2_016CFA49
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C7A464_2_016C7A46
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BDAC64_2_016BDAC6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01655AA04_2_01655AA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016ADAAC4_2_016ADAAC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B1AA34_2_016B1AA3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C7D734_2_016C7D73
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01613D404_2_01613D40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C1D5A4_2_016C1D5A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162FDC04_2_0162FDC0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01689C324_2_01689C32
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CFCF24_2_016CFCF2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CFF094_2_016CFF09
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D3FD54_2_015D3FD5
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D3FD24_2_015D3FD2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CFFB14_2_016CFFB1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01611F924_2_01611F92
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01619EB04_2_01619EB0
          Source: C:\Windows\explorer.exeCode function: 5_2_106590365_2_10659036
          Source: C:\Windows\explorer.exeCode function: 5_2_106500825_2_10650082
          Source: C:\Windows\explorer.exeCode function: 5_2_10651D025_2_10651D02
          Source: C:\Windows\explorer.exeCode function: 5_2_106579125_2_10657912
          Source: C:\Windows\explorer.exeCode function: 5_2_1065D5CD5_2_1065D5CD
          Source: C:\Windows\explorer.exeCode function: 5_2_1065A2325_2_1065A232
          Source: C:\Windows\explorer.exeCode function: 5_2_10654B305_2_10654B30
          Source: C:\Windows\explorer.exeCode function: 5_2_10654B325_2_10654B32
          Source: C:\Windows\explorer.exeCode function: 5_2_1169F2325_2_1169F232
          Source: C:\Windows\explorer.exeCode function: 5_2_11699B305_2_11699B30
          Source: C:\Windows\explorer.exeCode function: 5_2_11699B325_2_11699B32
          Source: C:\Windows\explorer.exeCode function: 5_2_11696D025_2_11696D02
          Source: C:\Windows\explorer.exeCode function: 5_2_1169C9125_2_1169C912
          Source: C:\Windows\explorer.exeCode function: 5_2_116A25CD5_2_116A25CD
          Source: C:\Windows\explorer.exeCode function: 5_2_1169E0365_2_1169E036
          Source: C:\Windows\explorer.exeCode function: 5_2_116950825_2_11695082
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D439FE6_2_00D439FE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DA3526_2_031DA352
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0312E3F06_2_0312E3F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031E03E66_2_031E03E6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C02746_2_031C0274
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031A02C06_2_031A02C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031BA1186_2_031BA118
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031101006_2_03110100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031A81586_2_031A8158
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031E01AA6_2_031E01AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D81CC6_2_031D81CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031B20006_2_031B2000
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031447506_2_03144750
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031207706_2_03120770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0311C7C06_2_0311C7C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0313C6E06_2_0313C6E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031205356_2_03120535
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031E05916_2_031E0591
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C44206_2_031C4420
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D24466_2_031D2446
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031CE4F66_2_031CE4F6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DAB406_2_031DAB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D6BD76_2_031D6BD7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0311EA806_2_0311EA80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031369626_2_03136962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031229A06_2_031229A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031EA9A66_2_031EA9A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031228406_2_03122840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0312A8406_2_0312A840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031068B86_2_031068B8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0314E8F06_2_0314E8F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03140F306_2_03140F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C2F306_2_031C2F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03162F286_2_03162F28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03194F406_2_03194F40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0319EFA06_2_0319EFA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03112FC86_2_03112FC8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0312CFE06_2_0312CFE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DEE266_2_031DEE26
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03120E596_2_03120E59
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03132E906_2_03132E90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DCE936_2_031DCE93
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DEEDB6_2_031DEEDB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031BCD1F6_2_031BCD1F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0312AD006_2_0312AD00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03138DBF6_2_03138DBF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0311ADE06_2_0311ADE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03120C006_2_03120C00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C0CB56_2_031C0CB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03110CF26_2_03110CF2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D132D6_2_031D132D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0310D34C6_2_0310D34C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0316739A6_2_0316739A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031252A06_2_031252A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0313B2C06_2_0313B2C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C12ED6_2_031C12ED
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0310F1726_2_0310F172
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031EB16B6_2_031EB16B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0315516C6_2_0315516C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0312B1B06_2_0312B1B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031CF0CC6_2_031CF0CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031270C06_2_031270C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D70E96_2_031D70E9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DF0E06_2_031DF0E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DF7B06_2_031DF7B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D16CC6_2_031D16CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D75716_2_031D7571
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031BD5B06_2_031BD5B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DF43F6_2_031DF43F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031114606_2_03111460
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DFB766_2_031DFB76
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0313FB806_2_0313FB80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03195BF06_2_03195BF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0315DBF96_2_0315DBF9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DFA496_2_031DFA49
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D7A466_2_031D7A46
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03193A6C6_2_03193A6C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03165AA06_2_03165AA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031BDAAC6_2_031BDAAC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031C1AA36_2_031C1AA3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031CDAC66_2_031CDAC6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031B59106_2_031B5910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031299506_2_03129950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0313B9506_2_0313B950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0318D8006_2_0318D800
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031238E06_2_031238E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DFF096_2_031DFF09
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03121F926_2_03121F92
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DFFB16_2_031DFFB1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03129EB06_2_03129EB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D1D5A6_2_031D1D5A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03123D406_2_03123D40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031D7D736_2_031D7D73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0313FDC06_2_0313FDC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_03199C326_2_03199C32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031DFCF26_2_031DFCF2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072E4B76_2_0072E4B7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072EA9E6_2_0072EA9E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072ED696_2_0072ED69
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00712D906_2_00712D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00712D876_2_00712D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00719E606_2_00719E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00719E5C6_2_00719E5C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072EE026_2_0072EE02
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00712FB06_2_00712FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDA0366_2_02FDA036
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDB2326_2_02FDB232
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD5B306_2_02FD5B30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD5B326_2_02FD5B32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD10826_2_02FD1082
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD89126_2_02FD8912
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDE5CD6_2_02FDE5CD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FD2D026_2_02FD2D02
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 03155130 appears 58 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0319F290 appears 105 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 03167E54 appears 102 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0310B970 appears 277 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0318EA12 appears 86 times
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: String function: 0168F290 appears 105 times
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: String function: 015FB970 appears 277 times
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: String function: 01645130 appears 58 times
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: String function: 0167EA12 appears 86 times
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: String function: 01657E54 appears 111 times
          Source: Ot7EdLwo881ajbV.exe, 00000000.00000000.1298250532.000000000019C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWovy.exe" vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000000.00000002.1359322867.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000000.00000002.1364380533.0000000006C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419367496.00000000016FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419016125.0000000001117000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001178000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exeBinary or memory string: OriginalFilenameWovy.exe" vs Ot7EdLwo881ajbV.exe
          Source: Ot7EdLwo881ajbV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Ot7EdLwo881ajbV.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: Ot7EdLwo881ajbV.exe PID: 7908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 7972, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Ot7EdLwo881ajbV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, bBmgRN9tOgZyk6y8Ue.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, Y8eUIjTtRh0ojhpc7y.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, bBmgRN9tOgZyk6y8Ue.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@12/0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ot7EdLwo881ajbV.exe.logJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
          Source: Ot7EdLwo881ajbV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Ot7EdLwo881ajbV.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Ot7EdLwo881ajbV.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess created: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess created: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Ot7EdLwo881ajbV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Ot7EdLwo881ajbV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Ot7EdLwo881ajbV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: ipconfig.pdb source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419016125.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001178000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419016125.0000000001110000.00000040.10000000.00040000.00000000.sdmp, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419170298.0000000001178000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Wovy.pdb source: Ot7EdLwo881ajbV.exe
          Source: Binary string: wntdll.pdbUGP source: Ot7EdLwo881ajbV.exe, 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1423548845.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1418648965.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Ot7EdLwo881ajbV.exe, Ot7EdLwo881ajbV.exe, 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000006.00000003.1423548845.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000003.1418648965.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: Wovy.pdbSHA256 source: Ot7EdLwo881ajbV.exe

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
          Source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
          .NET source code contains potential unpacker
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, Y8eUIjTtRh0ojhpc7y.cs.Net Code: kBGSsTrAB4 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, Y8eUIjTtRh0ojhpc7y.cs.Net Code: kBGSsTrAB4 System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00417913 pushfd ; iretd 4_2_00417914
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00401408 pushad ; retf 4_2_0040140F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041D4D2 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041D4DB push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041D485 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0041D53C push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_004166A0 push ebp; retf 4_2_004166A7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D225F pushad ; ret 4_2_015D27F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D27FA pushad ; ret 4_2_015D27F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016009AD push ecx; mov dword ptr [esp], ecx4_2_016009B6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D283D push eax; iretd 4_2_015D2858
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015D135E push eax; iretd 4_2_015D1369
          Source: C:\Windows\explorer.exeCode function: 5_2_1065D9B5 push esp; retn 0000h5_2_1065DAE7
          Source: C:\Windows\explorer.exeCode function: 5_2_1065DB02 push esp; retn 0000h5_2_1065DB03
          Source: C:\Windows\explorer.exeCode function: 5_2_1065DB1E push esp; retn 0000h5_2_1065DB1F
          Source: C:\Windows\explorer.exeCode function: 5_2_116A2B02 push esp; retn 0000h5_2_116A2B03
          Source: C:\Windows\explorer.exeCode function: 5_2_116A2B1E push esp; retn 0000h5_2_116A2B1F
          Source: C:\Windows\explorer.exeCode function: 5_2_116A29B5 push esp; retn 0000h5_2_116A2AE7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D4570D push ecx; ret 6_2_00D45720
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_031109AD push ecx; mov dword ptr [esp], ecx6_2_031109B6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072E40D push FFFFFF84h; retf 6_2_0072E40F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072D4D2 push eax; ret 6_2_0072D4D8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072D4DB push eax; ret 6_2_0072D542
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072D485 push eax; ret 6_2_0072D4D8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_0072D53C push eax; ret 6_2_0072D542
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_007266A0 push ebp; retf 6_2_007266A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00727913 pushfd ; iretd 6_2_00727914
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDEB1E push esp; retn 0000h6_2_02FDEB1F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDEB02 push esp; retn 0000h6_2_02FDEB03
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_02FDE9B5 push esp; retn 0000h6_2_02FDEAE7
          Source: Ot7EdLwo881ajbV.exeStatic PE information: section name: .text entropy: 7.971068803283514
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, dEiTkfA7SjxqL5QtnY.csHigh entropy of concatenated method names: 'HjURFnHfSK', 'f6pRLsyd5X', 'LuDRs2O9ED', 'aDXRVyINKM', 'vKDR1Qpro4', 'UoHRmA7eZC', 'ah6RgMNJJj', 'Y0RR9uAcBK', 'knBRNFeuQk', 't9gREkYc1O'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, rZ47qtdZj2uWTp5gk2p.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eJ8c0qXgEC', 'eIdcKMGmt8', 'UBLcwlIeP8', 'YVVcB43Zt1', 'yqsciRu0WM', 'r3yckJ8ShK', 'jJ5cUc177O'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, ETWBZjjKotfhLVEG7B.csHigh entropy of concatenated method names: 'YptRp1L3Bs', 'a0BRltrL3P', 'bbNRnQCEno', 'BYMnXQLX35', 'JFKnz4OmNH', 'bxARhFWv5t', 'xVYRdMY3XP', 'RoeRx9SbCw', 'qLGRZSDdVJ', 'p4yRStAmZE'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, VWeTsrS9qZtWT4kUnv.csHigh entropy of concatenated method names: 'KmxdRBmgRN', 'qOgdTZyk6y', 'VZ0dP07Xpw', 'GPZdqRyRvR', 'NRwd3VTQCN', 'zpvdeyJxmc', 'hmbFF8cnTQPmIs2IUq', 'B3Rm8Ky4yG8AXtMHcw', 'QMfddngfuW', 'AfAdZ5OBbU'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, aIL3gwMwGPXcjJ23eD.csHigh entropy of concatenated method names: 'UGStp89o4O', 'GR4tfI0TbG', 'T9VtlfBNJc', 'isxtIaxhDi', 'zt0tnWECTt', 'WORtRm4MII', 'PLTtTkmFU2', 'gC0tGjjdu6', 'iiutPEuFYx', 'VYMtq6aMUc'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, JdeGBOXijk9k7Y9IR3.csHigh entropy of concatenated method names: 'PTfQdd2rJG', 'jXeQZKl9rg', 'HZ6QSOUkLw', 'PJ7Qp7WQup', 'ImoQfxndSg', 'FN0QIXSRv6', 'D65QnbR73y', 'doBtU9cSsE', 'fkFtM0pS3s', 'gjKt4M1nH5'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, LRvR6JEGRbXydARwVT.csHigh entropy of concatenated method names: 'gEvI1LQ7vs', 'gZCIgWs6u2', 'yNxlbSWVYH', 'TFxlJMxtS6', 'dUFlOCSdqL', 'cgylC6VAe3', 'VQmljtcKiZ', 'lCJlyNuVr4', 'UlolAoKGme', 'sKilHZ4KKN'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, AOhY9axNNS11tp0klk.csHigh entropy of concatenated method names: 'PDRsZnXgD', 'HhtVTOGep', 'SeCm1isaB', 'UkQgkEOY6', 'D3yNp8T9b', 'yXgEBTfjb', 'pLeIcwd0VaCqSH6O86', 'FUhZxQpu2Ak4YVxf1e', 'VNfthhyqu', 'UqncruEXr'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, tvaO05oJad3j4n7gqJ.csHigh entropy of concatenated method names: 'aRg69MkI4v', 'i2o6NIVc59', 'qYY62OiV6D', 'Iii6vcK0qD', 'URy6J3xZ2G', 'Ke36OwHGjA', 'iYf6jF64fl', 'RwC6yDwQxc', 'eRa6HqxStD', 'GRk6WaC3yo'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, klDtT3dhKBswoJIOH9u.csHigh entropy of concatenated method names: 'im6QFAnNQN', 'AmSQLBlZVt', 'B6GQsYSSfX', 'oj6QV8TvO6', 'o8SQ1FA7cI', 'PxkQm56G95', 'wtJQgope4I', 'W60Q9hLGJm', 'r9jQNBmP5F', 'kNsQEXxWOA'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, myDQcBkbVdiXfBQNBb.csHigh entropy of concatenated method names: 'mNpYMHEisw', 'kFsYXeWhlj', 'hcbthvi5SS', 'TkatdlhwQu', 'D8GYWI05Mf', 'bxkYaiAWnl', 'ytKYo5sh3D', 'vdnY0oXBrZ', 'FrEYK8Cn8b', 'eZXYwLCHFT'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, bBmgRN9tOgZyk6y8Ue.csHigh entropy of concatenated method names: 'iKef0ZOtxx', 'GLyfK58QxG', 'ecKfwXduC8', 'IU5fBAWD99', 'Y8Rfi5rJm8', 'mYOfkkiwsU', 'TG5fUvVmWD', 'Tl5fMYbVPO', 'dT5f4eSsAC', 'd7NfXwhkZR'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, rCNspv2yJxmcon2Zpo.csHigh entropy of concatenated method names: 'Q1nnD7lMeI', 'KbSnfma68Y', 'xKHnIATFy3', 'V3mnRTfUsR', 'j7enTOg9d9', 'aVxIiotN92', 'SstIkkEjgL', 'HXJIUwLYS8', 'pd7IM6VNJf', 'YX2I4dTJpv'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, kAapL4lNHIoSIyVmTl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ws7x4TIIha', 'TumxXIwTEw', 'g3SxzdFBqY', 'Ih9ZhNlijo', 'QtuZd4QrNQ', 'wV1Zx8E4rl', 'dCrZZquANm', 'tGtXn2WsiED5HZCss7L'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, Y8eUIjTtRh0ojhpc7y.csHigh entropy of concatenated method names: 'H0lZDVoUwt', 'kXlZpwnmkO', 'cLvZf1adbc', 'Y0kZloFRnr', 'W9BZI1VwYb', 'RmaZnRbuOA', 'uGyZRw6hjA', 'RrAZThI310', 'yDjZGngVUJ', 'sS4ZPLpjrL'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, V5vd6UNZ007Xpw2PZR.csHigh entropy of concatenated method names: 'qwtlV8NvTq', 'onZlmkbJDp', 'pSNl9b6PuH', 'yp5lN7OvZX', 'rLbl3gn73C', 'Kd2leMrMij', 'qv3lYKtuqL', 'aevltxGJ0y', 'VVrlQbRqwC', 'MOUlcCuKZ5'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, F20XDS0MSLdluyfkZw.csHigh entropy of concatenated method names: 'FcJ3HjAfB4', 'SHf3arpewM', 'irl30y7i2v', 'ofV3KIQc89', 'KwF3vcO23v', 'oNI3b6kXVd', 'aL53J9GrxR', 'qPd3OijQeV', 'hIP3CsvbpB', 'l9b3jdChjd'
          Source: 0.2.Ot7EdLwo881ajbV.exe.6c80000.3.raw.unpack, TfS3Cqf1xxiXDtlKxn.csHigh entropy of concatenated method names: 'Dispose', 'xGtd41gLbE', 'jgTxv0h3tu', 'opSuuedN5Z', 'yhIdXL3gww', 'lPXdzcjJ23', 'ProcessDialogKey', 'pDOxhidNmn', 'yW4xdAK6QJ', 'vkuxxOdeGB'
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
          Source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, dEiTkfA7SjxqL5QtnY.csHigh entropy of concatenated method names: 'HjURFnHfSK', 'f6pRLsyd5X', 'LuDRs2O9ED', 'aDXRVyINKM', 'vKDR1Qpro4', 'UoHRmA7eZC', 'ah6RgMNJJj', 'Y0RR9uAcBK', 'knBRNFeuQk', 't9gREkYc1O'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, rZ47qtdZj2uWTp5gk2p.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eJ8c0qXgEC', 'eIdcKMGmt8', 'UBLcwlIeP8', 'YVVcB43Zt1', 'yqsciRu0WM', 'r3yckJ8ShK', 'jJ5cUc177O'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, ETWBZjjKotfhLVEG7B.csHigh entropy of concatenated method names: 'YptRp1L3Bs', 'a0BRltrL3P', 'bbNRnQCEno', 'BYMnXQLX35', 'JFKnz4OmNH', 'bxARhFWv5t', 'xVYRdMY3XP', 'RoeRx9SbCw', 'qLGRZSDdVJ', 'p4yRStAmZE'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, VWeTsrS9qZtWT4kUnv.csHigh entropy of concatenated method names: 'KmxdRBmgRN', 'qOgdTZyk6y', 'VZ0dP07Xpw', 'GPZdqRyRvR', 'NRwd3VTQCN', 'zpvdeyJxmc', 'hmbFF8cnTQPmIs2IUq', 'B3Rm8Ky4yG8AXtMHcw', 'QMfddngfuW', 'AfAdZ5OBbU'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, aIL3gwMwGPXcjJ23eD.csHigh entropy of concatenated method names: 'UGStp89o4O', 'GR4tfI0TbG', 'T9VtlfBNJc', 'isxtIaxhDi', 'zt0tnWECTt', 'WORtRm4MII', 'PLTtTkmFU2', 'gC0tGjjdu6', 'iiutPEuFYx', 'VYMtq6aMUc'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, JdeGBOXijk9k7Y9IR3.csHigh entropy of concatenated method names: 'PTfQdd2rJG', 'jXeQZKl9rg', 'HZ6QSOUkLw', 'PJ7Qp7WQup', 'ImoQfxndSg', 'FN0QIXSRv6', 'D65QnbR73y', 'doBtU9cSsE', 'fkFtM0pS3s', 'gjKt4M1nH5'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, LRvR6JEGRbXydARwVT.csHigh entropy of concatenated method names: 'gEvI1LQ7vs', 'gZCIgWs6u2', 'yNxlbSWVYH', 'TFxlJMxtS6', 'dUFlOCSdqL', 'cgylC6VAe3', 'VQmljtcKiZ', 'lCJlyNuVr4', 'UlolAoKGme', 'sKilHZ4KKN'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, AOhY9axNNS11tp0klk.csHigh entropy of concatenated method names: 'PDRsZnXgD', 'HhtVTOGep', 'SeCm1isaB', 'UkQgkEOY6', 'D3yNp8T9b', 'yXgEBTfjb', 'pLeIcwd0VaCqSH6O86', 'FUhZxQpu2Ak4YVxf1e', 'VNfthhyqu', 'UqncruEXr'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, tvaO05oJad3j4n7gqJ.csHigh entropy of concatenated method names: 'aRg69MkI4v', 'i2o6NIVc59', 'qYY62OiV6D', 'Iii6vcK0qD', 'URy6J3xZ2G', 'Ke36OwHGjA', 'iYf6jF64fl', 'RwC6yDwQxc', 'eRa6HqxStD', 'GRk6WaC3yo'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, klDtT3dhKBswoJIOH9u.csHigh entropy of concatenated method names: 'im6QFAnNQN', 'AmSQLBlZVt', 'B6GQsYSSfX', 'oj6QV8TvO6', 'o8SQ1FA7cI', 'PxkQm56G95', 'wtJQgope4I', 'W60Q9hLGJm', 'r9jQNBmP5F', 'kNsQEXxWOA'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, myDQcBkbVdiXfBQNBb.csHigh entropy of concatenated method names: 'mNpYMHEisw', 'kFsYXeWhlj', 'hcbthvi5SS', 'TkatdlhwQu', 'D8GYWI05Mf', 'bxkYaiAWnl', 'ytKYo5sh3D', 'vdnY0oXBrZ', 'FrEYK8Cn8b', 'eZXYwLCHFT'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, bBmgRN9tOgZyk6y8Ue.csHigh entropy of concatenated method names: 'iKef0ZOtxx', 'GLyfK58QxG', 'ecKfwXduC8', 'IU5fBAWD99', 'Y8Rfi5rJm8', 'mYOfkkiwsU', 'TG5fUvVmWD', 'Tl5fMYbVPO', 'dT5f4eSsAC', 'd7NfXwhkZR'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, rCNspv2yJxmcon2Zpo.csHigh entropy of concatenated method names: 'Q1nnD7lMeI', 'KbSnfma68Y', 'xKHnIATFy3', 'V3mnRTfUsR', 'j7enTOg9d9', 'aVxIiotN92', 'SstIkkEjgL', 'HXJIUwLYS8', 'pd7IM6VNJf', 'YX2I4dTJpv'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, kAapL4lNHIoSIyVmTl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ws7x4TIIha', 'TumxXIwTEw', 'g3SxzdFBqY', 'Ih9ZhNlijo', 'QtuZd4QrNQ', 'wV1Zx8E4rl', 'dCrZZquANm', 'tGtXn2WsiED5HZCss7L'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, Y8eUIjTtRh0ojhpc7y.csHigh entropy of concatenated method names: 'H0lZDVoUwt', 'kXlZpwnmkO', 'cLvZf1adbc', 'Y0kZloFRnr', 'W9BZI1VwYb', 'RmaZnRbuOA', 'uGyZRw6hjA', 'RrAZThI310', 'yDjZGngVUJ', 'sS4ZPLpjrL'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, V5vd6UNZ007Xpw2PZR.csHigh entropy of concatenated method names: 'qwtlV8NvTq', 'onZlmkbJDp', 'pSNl9b6PuH', 'yp5lN7OvZX', 'rLbl3gn73C', 'Kd2leMrMij', 'qv3lYKtuqL', 'aevltxGJ0y', 'VVrlQbRqwC', 'MOUlcCuKZ5'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, F20XDS0MSLdluyfkZw.csHigh entropy of concatenated method names: 'FcJ3HjAfB4', 'SHf3arpewM', 'irl30y7i2v', 'ofV3KIQc89', 'KwF3vcO23v', 'oNI3b6kXVd', 'aL53J9GrxR', 'qPd3OijQeV', 'hIP3CsvbpB', 'l9b3jdChjd'
          Source: 0.2.Ot7EdLwo881ajbV.exe.3694f60.0.raw.unpack, TfS3Cqf1xxiXDtlKxn.csHigh entropy of concatenated method names: 'Dispose', 'xGtd41gLbE', 'jgTxv0h3tu', 'opSuuedN5Z', 'yhIdXL3gww', 'lPXdzcjJ23', 'ProcessDialogKey', 'pDOxhidNmn', 'yW4xdAK6QJ', 'vkuxxOdeGB'
          Source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
          Source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Ot7EdLwo881ajbV.exe PID: 7572, type: MEMORYSTR
          Reads the DNS cache
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D43872 DnsGetCacheDataTableEx,DnsFree,DnsFree,6_2_00D43872
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 719904 second address: 71990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 719B7E second address: 719B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 2260000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 4420000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 6E30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 7E30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 7FD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: 8FD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1909Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8029Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 9696Jump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 1.9 %
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe TID: 7596Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2172Thread sleep count: 1909 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2172Thread sleep time: -3818000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2172Thread sleep count: 8029 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2172Thread sleep time: -16058000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8080Thread sleep count: 275 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8080Thread sleep time: -550000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8080Thread sleep count: 9696 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8080Thread sleep time: -19392000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000005.00000000.1362200055.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3775588613.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000005.00000003.3077308907.0000000007314000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000005.00000003.2271877116.0000000008F74000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
          Source: explorer.exe, 00000005.00000003.3073804902.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
          Source: explorer.exe, 00000005.00000003.3073804902.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
          Source: explorer.exe, 00000005.00000003.3077308907.0000000007314000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000005.00000002.3775588613.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
          Source: explorer.exe, 00000005.00000002.3769920724.000000000326A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: explorer.exe, 00000005.00000000.1362200055.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000005.00000000.1373593359.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.1362200055.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0040ACF0 LdrLoadDll,4_2_0040ACF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FC156 mov eax, dword ptr fs:[00000030h]4_2_015FC156
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4164 mov eax, dword ptr fs:[00000030h]4_2_016D4164
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4164 mov eax, dword ptr fs:[00000030h]4_2_016D4164
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01694144 mov eax, dword ptr fs:[00000030h]4_2_01694144
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01694144 mov eax, dword ptr fs:[00000030h]4_2_01694144
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01694144 mov ecx, dword ptr fs:[00000030h]4_2_01694144
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01694144 mov eax, dword ptr fs:[00000030h]4_2_01694144
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01694144 mov eax, dword ptr fs:[00000030h]4_2_01694144
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01698158 mov eax, dword ptr fs:[00000030h]4_2_01698158
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606154 mov eax, dword ptr fs:[00000030h]4_2_01606154
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606154 mov eax, dword ptr fs:[00000030h]4_2_01606154
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01630124 mov eax, dword ptr fs:[00000030h]4_2_01630124
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov ecx, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov ecx, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov ecx, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov eax, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE10E mov ecx, dword ptr fs:[00000030h]4_2_016AE10E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AA118 mov ecx, dword ptr fs:[00000030h]4_2_016AA118
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AA118 mov eax, dword ptr fs:[00000030h]4_2_016AA118
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AA118 mov eax, dword ptr fs:[00000030h]4_2_016AA118
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AA118 mov eax, dword ptr fs:[00000030h]4_2_016AA118
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C0115 mov eax, dword ptr fs:[00000030h]4_2_016C0115
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D61E5 mov eax, dword ptr fs:[00000030h]4_2_016D61E5
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016301F8 mov eax, dword ptr fs:[00000030h]4_2_016301F8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C61C3 mov eax, dword ptr fs:[00000030h]4_2_016C61C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C61C3 mov eax, dword ptr fs:[00000030h]4_2_016C61C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E1D0 mov eax, dword ptr fs:[00000030h]4_2_0167E1D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E1D0 mov eax, dword ptr fs:[00000030h]4_2_0167E1D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0167E1D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E1D0 mov eax, dword ptr fs:[00000030h]4_2_0167E1D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E1D0 mov eax, dword ptr fs:[00000030h]4_2_0167E1D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA197 mov eax, dword ptr fs:[00000030h]4_2_015FA197
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA197 mov eax, dword ptr fs:[00000030h]4_2_015FA197
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA197 mov eax, dword ptr fs:[00000030h]4_2_015FA197
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01640185 mov eax, dword ptr fs:[00000030h]4_2_01640185
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BC188 mov eax, dword ptr fs:[00000030h]4_2_016BC188
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BC188 mov eax, dword ptr fs:[00000030h]4_2_016BC188
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A4180 mov eax, dword ptr fs:[00000030h]4_2_016A4180
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A4180 mov eax, dword ptr fs:[00000030h]4_2_016A4180
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168019F mov eax, dword ptr fs:[00000030h]4_2_0168019F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168019F mov eax, dword ptr fs:[00000030h]4_2_0168019F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168019F mov eax, dword ptr fs:[00000030h]4_2_0168019F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168019F mov eax, dword ptr fs:[00000030h]4_2_0168019F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162C073 mov eax, dword ptr fs:[00000030h]4_2_0162C073
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01602050 mov eax, dword ptr fs:[00000030h]4_2_01602050
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686050 mov eax, dword ptr fs:[00000030h]4_2_01686050
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696030 mov eax, dword ptr fs:[00000030h]4_2_01696030
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01684000 mov ecx, dword ptr fs:[00000030h]4_2_01684000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A2000 mov eax, dword ptr fs:[00000030h]4_2_016A2000
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E016 mov eax, dword ptr fs:[00000030h]4_2_0161E016
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E016 mov eax, dword ptr fs:[00000030h]4_2_0161E016
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E016 mov eax, dword ptr fs:[00000030h]4_2_0161E016
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E016 mov eax, dword ptr fs:[00000030h]4_2_0161E016
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA020 mov eax, dword ptr fs:[00000030h]4_2_015FA020
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FC020 mov eax, dword ptr fs:[00000030h]4_2_015FC020
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016860E0 mov eax, dword ptr fs:[00000030h]4_2_016860E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016080E9 mov eax, dword ptr fs:[00000030h]4_2_016080E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016420F0 mov ecx, dword ptr fs:[00000030h]4_2_016420F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FC0F0 mov eax, dword ptr fs:[00000030h]4_2_015FC0F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016820DE mov eax, dword ptr fs:[00000030h]4_2_016820DE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA0E3 mov ecx, dword ptr fs:[00000030h]4_2_015FA0E3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016980A8 mov eax, dword ptr fs:[00000030h]4_2_016980A8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C60B8 mov eax, dword ptr fs:[00000030h]4_2_016C60B8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C60B8 mov ecx, dword ptr fs:[00000030h]4_2_016C60B8
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160208A mov eax, dword ptr fs:[00000030h]4_2_0160208A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F80A0 mov eax, dword ptr fs:[00000030h]4_2_015F80A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A437C mov eax, dword ptr fs:[00000030h]4_2_016A437C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01682349 mov eax, dword ptr fs:[00000030h]4_2_01682349
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D634F mov eax, dword ptr fs:[00000030h]4_2_016D634F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov eax, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov eax, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov eax, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov ecx, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov eax, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168035C mov eax, dword ptr fs:[00000030h]4_2_0168035C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A8350 mov ecx, dword ptr fs:[00000030h]4_2_016A8350
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CA352 mov eax, dword ptr fs:[00000030h]4_2_016CA352
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D8324 mov eax, dword ptr fs:[00000030h]4_2_016D8324
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D8324 mov ecx, dword ptr fs:[00000030h]4_2_016D8324
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D8324 mov eax, dword ptr fs:[00000030h]4_2_016D8324
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D8324 mov eax, dword ptr fs:[00000030h]4_2_016D8324
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FC310 mov ecx, dword ptr fs:[00000030h]4_2_015FC310
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A30B mov eax, dword ptr fs:[00000030h]4_2_0163A30B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A30B mov eax, dword ptr fs:[00000030h]4_2_0163A30B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A30B mov eax, dword ptr fs:[00000030h]4_2_0163A30B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01620310 mov ecx, dword ptr fs:[00000030h]4_2_01620310
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016103E9 mov eax, dword ptr fs:[00000030h]4_2_016103E9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E3F0 mov eax, dword ptr fs:[00000030h]4_2_0161E3F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E3F0 mov eax, dword ptr fs:[00000030h]4_2_0161E3F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E3F0 mov eax, dword ptr fs:[00000030h]4_2_0161E3F0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016363FF mov eax, dword ptr fs:[00000030h]4_2_016363FF
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A3C0 mov eax, dword ptr fs:[00000030h]4_2_0160A3C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016083C0 mov eax, dword ptr fs:[00000030h]4_2_016083C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016083C0 mov eax, dword ptr fs:[00000030h]4_2_016083C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016083C0 mov eax, dword ptr fs:[00000030h]4_2_016083C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016083C0 mov eax, dword ptr fs:[00000030h]4_2_016083C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BC3CD mov eax, dword ptr fs:[00000030h]4_2_016BC3CD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016863C0 mov eax, dword ptr fs:[00000030h]4_2_016863C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE3DB mov eax, dword ptr fs:[00000030h]4_2_016AE3DB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE3DB mov eax, dword ptr fs:[00000030h]4_2_016AE3DB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE3DB mov ecx, dword ptr fs:[00000030h]4_2_016AE3DB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AE3DB mov eax, dword ptr fs:[00000030h]4_2_016AE3DB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A43D4 mov eax, dword ptr fs:[00000030h]4_2_016A43D4
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A43D4 mov eax, dword ptr fs:[00000030h]4_2_016A43D4
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8397 mov eax, dword ptr fs:[00000030h]4_2_015F8397
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8397 mov eax, dword ptr fs:[00000030h]4_2_015F8397
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8397 mov eax, dword ptr fs:[00000030h]4_2_015F8397
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE388 mov eax, dword ptr fs:[00000030h]4_2_015FE388
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE388 mov eax, dword ptr fs:[00000030h]4_2_015FE388
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE388 mov eax, dword ptr fs:[00000030h]4_2_015FE388
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162438F mov eax, dword ptr fs:[00000030h]4_2_0162438F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162438F mov eax, dword ptr fs:[00000030h]4_2_0162438F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604260 mov eax, dword ptr fs:[00000030h]4_2_01604260
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604260 mov eax, dword ptr fs:[00000030h]4_2_01604260
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604260 mov eax, dword ptr fs:[00000030h]4_2_01604260
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FA250 mov eax, dword ptr fs:[00000030h]4_2_015FA250
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B0274 mov eax, dword ptr fs:[00000030h]4_2_016B0274
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01688243 mov eax, dword ptr fs:[00000030h]4_2_01688243
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01688243 mov ecx, dword ptr fs:[00000030h]4_2_01688243
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D625D mov eax, dword ptr fs:[00000030h]4_2_016D625D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F826B mov eax, dword ptr fs:[00000030h]4_2_015F826B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606259 mov eax, dword ptr fs:[00000030h]4_2_01606259
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BA250 mov eax, dword ptr fs:[00000030h]4_2_016BA250
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BA250 mov eax, dword ptr fs:[00000030h]4_2_016BA250
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F823B mov eax, dword ptr fs:[00000030h]4_2_015F823B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016102E1 mov eax, dword ptr fs:[00000030h]4_2_016102E1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016102E1 mov eax, dword ptr fs:[00000030h]4_2_016102E1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016102E1 mov eax, dword ptr fs:[00000030h]4_2_016102E1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A2C3 mov eax, dword ptr fs:[00000030h]4_2_0160A2C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A2C3 mov eax, dword ptr fs:[00000030h]4_2_0160A2C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A2C3 mov eax, dword ptr fs:[00000030h]4_2_0160A2C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A2C3 mov eax, dword ptr fs:[00000030h]4_2_0160A2C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A2C3 mov eax, dword ptr fs:[00000030h]4_2_0160A2C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D62D6 mov eax, dword ptr fs:[00000030h]4_2_016D62D6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016102A0 mov eax, dword ptr fs:[00000030h]4_2_016102A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016102A0 mov eax, dword ptr fs:[00000030h]4_2_016102A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov eax, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov ecx, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov eax, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov eax, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov eax, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016962A0 mov eax, dword ptr fs:[00000030h]4_2_016962A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E284 mov eax, dword ptr fs:[00000030h]4_2_0163E284
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E284 mov eax, dword ptr fs:[00000030h]4_2_0163E284
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01680283 mov eax, dword ptr fs:[00000030h]4_2_01680283
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01680283 mov eax, dword ptr fs:[00000030h]4_2_01680283
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01680283 mov eax, dword ptr fs:[00000030h]4_2_01680283
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163656A mov eax, dword ptr fs:[00000030h]4_2_0163656A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163656A mov eax, dword ptr fs:[00000030h]4_2_0163656A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163656A mov eax, dword ptr fs:[00000030h]4_2_0163656A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608550 mov eax, dword ptr fs:[00000030h]4_2_01608550
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608550 mov eax, dword ptr fs:[00000030h]4_2_01608550
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610535 mov eax, dword ptr fs:[00000030h]4_2_01610535
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E53E mov eax, dword ptr fs:[00000030h]4_2_0162E53E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E53E mov eax, dword ptr fs:[00000030h]4_2_0162E53E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E53E mov eax, dword ptr fs:[00000030h]4_2_0162E53E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E53E mov eax, dword ptr fs:[00000030h]4_2_0162E53E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E53E mov eax, dword ptr fs:[00000030h]4_2_0162E53E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696500 mov eax, dword ptr fs:[00000030h]4_2_01696500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4500 mov eax, dword ptr fs:[00000030h]4_2_016D4500
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016025E0 mov eax, dword ptr fs:[00000030h]4_2_016025E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E5E7 mov eax, dword ptr fs:[00000030h]4_2_0162E5E7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C5ED mov eax, dword ptr fs:[00000030h]4_2_0163C5ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C5ED mov eax, dword ptr fs:[00000030h]4_2_0163C5ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E5CF mov eax, dword ptr fs:[00000030h]4_2_0163E5CF
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E5CF mov eax, dword ptr fs:[00000030h]4_2_0163E5CF
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016065D0 mov eax, dword ptr fs:[00000030h]4_2_016065D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A5D0 mov eax, dword ptr fs:[00000030h]4_2_0163A5D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A5D0 mov eax, dword ptr fs:[00000030h]4_2_0163A5D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016805A7 mov eax, dword ptr fs:[00000030h]4_2_016805A7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016805A7 mov eax, dword ptr fs:[00000030h]4_2_016805A7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016805A7 mov eax, dword ptr fs:[00000030h]4_2_016805A7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016245B1 mov eax, dword ptr fs:[00000030h]4_2_016245B1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016245B1 mov eax, dword ptr fs:[00000030h]4_2_016245B1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01602582 mov eax, dword ptr fs:[00000030h]4_2_01602582
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01602582 mov ecx, dword ptr fs:[00000030h]4_2_01602582
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01634588 mov eax, dword ptr fs:[00000030h]4_2_01634588
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E59C mov eax, dword ptr fs:[00000030h]4_2_0163E59C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F645D mov eax, dword ptr fs:[00000030h]4_2_015F645D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168C460 mov ecx, dword ptr fs:[00000030h]4_2_0168C460
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162A470 mov eax, dword ptr fs:[00000030h]4_2_0162A470
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162A470 mov eax, dword ptr fs:[00000030h]4_2_0162A470
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162A470 mov eax, dword ptr fs:[00000030h]4_2_0162A470
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163E443 mov eax, dword ptr fs:[00000030h]4_2_0163E443
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162245A mov eax, dword ptr fs:[00000030h]4_2_0162245A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BA456 mov eax, dword ptr fs:[00000030h]4_2_016BA456
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01686420 mov eax, dword ptr fs:[00000030h]4_2_01686420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A430 mov eax, dword ptr fs:[00000030h]4_2_0163A430
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01638402 mov eax, dword ptr fs:[00000030h]4_2_01638402
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01638402 mov eax, dword ptr fs:[00000030h]4_2_01638402
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01638402 mov eax, dword ptr fs:[00000030h]4_2_01638402
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FC427 mov eax, dword ptr fs:[00000030h]4_2_015FC427
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE420 mov eax, dword ptr fs:[00000030h]4_2_015FE420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE420 mov eax, dword ptr fs:[00000030h]4_2_015FE420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FE420 mov eax, dword ptr fs:[00000030h]4_2_015FE420
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016004E5 mov ecx, dword ptr fs:[00000030h]4_2_016004E5
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016064AB mov eax, dword ptr fs:[00000030h]4_2_016064AB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016344B0 mov ecx, dword ptr fs:[00000030h]4_2_016344B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168A4B0 mov eax, dword ptr fs:[00000030h]4_2_0168A4B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016BA49A mov eax, dword ptr fs:[00000030h]4_2_016BA49A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608770 mov eax, dword ptr fs:[00000030h]4_2_01608770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610770 mov eax, dword ptr fs:[00000030h]4_2_01610770
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163674D mov esi, dword ptr fs:[00000030h]4_2_0163674D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163674D mov eax, dword ptr fs:[00000030h]4_2_0163674D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163674D mov eax, dword ptr fs:[00000030h]4_2_0163674D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600750 mov eax, dword ptr fs:[00000030h]4_2_01600750
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642750 mov eax, dword ptr fs:[00000030h]4_2_01642750
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642750 mov eax, dword ptr fs:[00000030h]4_2_01642750
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168E75D mov eax, dword ptr fs:[00000030h]4_2_0168E75D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01684755 mov eax, dword ptr fs:[00000030h]4_2_01684755
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C720 mov eax, dword ptr fs:[00000030h]4_2_0163C720
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C720 mov eax, dword ptr fs:[00000030h]4_2_0163C720
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167C730 mov eax, dword ptr fs:[00000030h]4_2_0167C730
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163273C mov eax, dword ptr fs:[00000030h]4_2_0163273C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163273C mov ecx, dword ptr fs:[00000030h]4_2_0163273C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163273C mov eax, dword ptr fs:[00000030h]4_2_0163273C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C700 mov eax, dword ptr fs:[00000030h]4_2_0163C700
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600710 mov eax, dword ptr fs:[00000030h]4_2_01600710
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01630710 mov eax, dword ptr fs:[00000030h]4_2_01630710
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168E7E1 mov eax, dword ptr fs:[00000030h]4_2_0168E7E1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016227ED mov eax, dword ptr fs:[00000030h]4_2_016227ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016227ED mov eax, dword ptr fs:[00000030h]4_2_016227ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016227ED mov eax, dword ptr fs:[00000030h]4_2_016227ED
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016047FB mov eax, dword ptr fs:[00000030h]4_2_016047FB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016047FB mov eax, dword ptr fs:[00000030h]4_2_016047FB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160C7C0 mov eax, dword ptr fs:[00000030h]4_2_0160C7C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016807C3 mov eax, dword ptr fs:[00000030h]4_2_016807C3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B47A0 mov eax, dword ptr fs:[00000030h]4_2_016B47A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016007AF mov eax, dword ptr fs:[00000030h]4_2_016007AF
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A678E mov eax, dword ptr fs:[00000030h]4_2_016A678E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C866E mov eax, dword ptr fs:[00000030h]4_2_016C866E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C866E mov eax, dword ptr fs:[00000030h]4_2_016C866E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A660 mov eax, dword ptr fs:[00000030h]4_2_0163A660
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A660 mov eax, dword ptr fs:[00000030h]4_2_0163A660
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01632674 mov eax, dword ptr fs:[00000030h]4_2_01632674
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161C640 mov eax, dword ptr fs:[00000030h]4_2_0161C640
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01636620 mov eax, dword ptr fs:[00000030h]4_2_01636620
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01638620 mov eax, dword ptr fs:[00000030h]4_2_01638620
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161E627 mov eax, dword ptr fs:[00000030h]4_2_0161E627
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160262C mov eax, dword ptr fs:[00000030h]4_2_0160262C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0161260B mov eax, dword ptr fs:[00000030h]4_2_0161260B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E609 mov eax, dword ptr fs:[00000030h]4_2_0167E609
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01642619 mov eax, dword ptr fs:[00000030h]4_2_01642619
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E6F2 mov eax, dword ptr fs:[00000030h]4_2_0167E6F2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E6F2 mov eax, dword ptr fs:[00000030h]4_2_0167E6F2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E6F2 mov eax, dword ptr fs:[00000030h]4_2_0167E6F2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E6F2 mov eax, dword ptr fs:[00000030h]4_2_0167E6F2
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016806F1 mov eax, dword ptr fs:[00000030h]4_2_016806F1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016806F1 mov eax, dword ptr fs:[00000030h]4_2_016806F1
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0163A6C7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A6C7 mov eax, dword ptr fs:[00000030h]4_2_0163A6C7
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C6A6 mov eax, dword ptr fs:[00000030h]4_2_0163C6A6
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016366B0 mov eax, dword ptr fs:[00000030h]4_2_016366B0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604690 mov eax, dword ptr fs:[00000030h]4_2_01604690
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604690 mov eax, dword ptr fs:[00000030h]4_2_01604690
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01626962 mov eax, dword ptr fs:[00000030h]4_2_01626962
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01626962 mov eax, dword ptr fs:[00000030h]4_2_01626962
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01626962 mov eax, dword ptr fs:[00000030h]4_2_01626962
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0164096E mov eax, dword ptr fs:[00000030h]4_2_0164096E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0164096E mov edx, dword ptr fs:[00000030h]4_2_0164096E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0164096E mov eax, dword ptr fs:[00000030h]4_2_0164096E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A4978 mov eax, dword ptr fs:[00000030h]4_2_016A4978
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A4978 mov eax, dword ptr fs:[00000030h]4_2_016A4978
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168C97C mov eax, dword ptr fs:[00000030h]4_2_0168C97C
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4940 mov eax, dword ptr fs:[00000030h]4_2_016D4940
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01680946 mov eax, dword ptr fs:[00000030h]4_2_01680946
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168892A mov eax, dword ptr fs:[00000030h]4_2_0168892A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0169892B mov eax, dword ptr fs:[00000030h]4_2_0169892B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8918 mov eax, dword ptr fs:[00000030h]4_2_015F8918
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8918 mov eax, dword ptr fs:[00000030h]4_2_015F8918
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E908 mov eax, dword ptr fs:[00000030h]4_2_0167E908
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167E908 mov eax, dword ptr fs:[00000030h]4_2_0167E908
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168C912 mov eax, dword ptr fs:[00000030h]4_2_0168C912
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168E9E0 mov eax, dword ptr fs:[00000030h]4_2_0168E9E0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016329F9 mov eax, dword ptr fs:[00000030h]4_2_016329F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016329F9 mov eax, dword ptr fs:[00000030h]4_2_016329F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016969C0 mov eax, dword ptr fs:[00000030h]4_2_016969C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0160A9D0 mov eax, dword ptr fs:[00000030h]4_2_0160A9D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016349D0 mov eax, dword ptr fs:[00000030h]4_2_016349D0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CA9D3 mov eax, dword ptr fs:[00000030h]4_2_016CA9D3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016129A0 mov eax, dword ptr fs:[00000030h]4_2_016129A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016009AD mov eax, dword ptr fs:[00000030h]4_2_016009AD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016009AD mov eax, dword ptr fs:[00000030h]4_2_016009AD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016889B3 mov esi, dword ptr fs:[00000030h]4_2_016889B3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016889B3 mov eax, dword ptr fs:[00000030h]4_2_016889B3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016889B3 mov eax, dword ptr fs:[00000030h]4_2_016889B3
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696870 mov eax, dword ptr fs:[00000030h]4_2_01696870
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696870 mov eax, dword ptr fs:[00000030h]4_2_01696870
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168E872 mov eax, dword ptr fs:[00000030h]4_2_0168E872
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168E872 mov eax, dword ptr fs:[00000030h]4_2_0168E872
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01612840 mov ecx, dword ptr fs:[00000030h]4_2_01612840
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01630854 mov eax, dword ptr fs:[00000030h]4_2_01630854
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604859 mov eax, dword ptr fs:[00000030h]4_2_01604859
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01604859 mov eax, dword ptr fs:[00000030h]4_2_01604859
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A483A mov eax, dword ptr fs:[00000030h]4_2_016A483A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A483A mov eax, dword ptr fs:[00000030h]4_2_016A483A
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163A830 mov eax, dword ptr fs:[00000030h]4_2_0163A830
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov eax, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov eax, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov eax, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov ecx, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov eax, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01622835 mov eax, dword ptr fs:[00000030h]4_2_01622835
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168C810 mov eax, dword ptr fs:[00000030h]4_2_0168C810
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CA8E4 mov eax, dword ptr fs:[00000030h]4_2_016CA8E4
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C8F9 mov eax, dword ptr fs:[00000030h]4_2_0163C8F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163C8F9 mov eax, dword ptr fs:[00000030h]4_2_0163C8F9
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162E8C0 mov eax, dword ptr fs:[00000030h]4_2_0162E8C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D08C0 mov eax, dword ptr fs:[00000030h]4_2_016D08C0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600887 mov eax, dword ptr fs:[00000030h]4_2_01600887
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168C89D mov eax, dword ptr fs:[00000030h]4_2_0168C89D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015F8B50 mov eax, dword ptr fs:[00000030h]4_2_015F8B50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B4B4B mov eax, dword ptr fs:[00000030h]4_2_016B4B4B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B4B4B mov eax, dword ptr fs:[00000030h]4_2_016B4B4B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_015FCB7E mov eax, dword ptr fs:[00000030h]4_2_015FCB7E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016A8B42 mov eax, dword ptr fs:[00000030h]4_2_016A8B42
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696B40 mov eax, dword ptr fs:[00000030h]4_2_01696B40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01696B40 mov eax, dword ptr fs:[00000030h]4_2_01696B40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016CAB40 mov eax, dword ptr fs:[00000030h]4_2_016CAB40
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AEB50 mov eax, dword ptr fs:[00000030h]4_2_016AEB50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D2B57 mov eax, dword ptr fs:[00000030h]4_2_016D2B57
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D2B57 mov eax, dword ptr fs:[00000030h]4_2_016D2B57
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D2B57 mov eax, dword ptr fs:[00000030h]4_2_016D2B57
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D2B57 mov eax, dword ptr fs:[00000030h]4_2_016D2B57
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162EB20 mov eax, dword ptr fs:[00000030h]4_2_0162EB20
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162EB20 mov eax, dword ptr fs:[00000030h]4_2_0162EB20
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C8B28 mov eax, dword ptr fs:[00000030h]4_2_016C8B28
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016C8B28 mov eax, dword ptr fs:[00000030h]4_2_016C8B28
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016D4B00 mov eax, dword ptr fs:[00000030h]4_2_016D4B00
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167EB1D mov eax, dword ptr fs:[00000030h]4_2_0167EB1D
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608BF0 mov eax, dword ptr fs:[00000030h]4_2_01608BF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608BF0 mov eax, dword ptr fs:[00000030h]4_2_01608BF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608BF0 mov eax, dword ptr fs:[00000030h]4_2_01608BF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168CBF0 mov eax, dword ptr fs:[00000030h]4_2_0168CBF0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162EBFC mov eax, dword ptr fs:[00000030h]4_2_0162EBFC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01620BCB mov eax, dword ptr fs:[00000030h]4_2_01620BCB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01620BCB mov eax, dword ptr fs:[00000030h]4_2_01620BCB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01620BCB mov eax, dword ptr fs:[00000030h]4_2_01620BCB
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600BCD mov eax, dword ptr fs:[00000030h]4_2_01600BCD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600BCD mov eax, dword ptr fs:[00000030h]4_2_01600BCD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600BCD mov eax, dword ptr fs:[00000030h]4_2_01600BCD
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AEBD0 mov eax, dword ptr fs:[00000030h]4_2_016AEBD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B4BB0 mov eax, dword ptr fs:[00000030h]4_2_016B4BB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016B4BB0 mov eax, dword ptr fs:[00000030h]4_2_016B4BB0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610BBE mov eax, dword ptr fs:[00000030h]4_2_01610BBE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610BBE mov eax, dword ptr fs:[00000030h]4_2_01610BBE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_016AEA60 mov eax, dword ptr fs:[00000030h]4_2_016AEA60
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163CA6F mov eax, dword ptr fs:[00000030h]4_2_0163CA6F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163CA6F mov eax, dword ptr fs:[00000030h]4_2_0163CA6F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163CA6F mov eax, dword ptr fs:[00000030h]4_2_0163CA6F
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167CA72 mov eax, dword ptr fs:[00000030h]4_2_0167CA72
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0167CA72 mov eax, dword ptr fs:[00000030h]4_2_0167CA72
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01606A50 mov eax, dword ptr fs:[00000030h]4_2_01606A50
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610A5B mov eax, dword ptr fs:[00000030h]4_2_01610A5B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01610A5B mov eax, dword ptr fs:[00000030h]4_2_01610A5B
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163CA24 mov eax, dword ptr fs:[00000030h]4_2_0163CA24
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0162EA2E mov eax, dword ptr fs:[00000030h]4_2_0162EA2E
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01624A35 mov eax, dword ptr fs:[00000030h]4_2_01624A35
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01624A35 mov eax, dword ptr fs:[00000030h]4_2_01624A35
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163CA38 mov eax, dword ptr fs:[00000030h]4_2_0163CA38
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0168CA11 mov eax, dword ptr fs:[00000030h]4_2_0168CA11
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163AAEE mov eax, dword ptr fs:[00000030h]4_2_0163AAEE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_0163AAEE mov eax, dword ptr fs:[00000030h]4_2_0163AAEE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01656ACC mov eax, dword ptr fs:[00000030h]4_2_01656ACC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01656ACC mov eax, dword ptr fs:[00000030h]4_2_01656ACC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01656ACC mov eax, dword ptr fs:[00000030h]4_2_01656ACC
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01600AD0 mov eax, dword ptr fs:[00000030h]4_2_01600AD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01634AD0 mov eax, dword ptr fs:[00000030h]4_2_01634AD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01634AD0 mov eax, dword ptr fs:[00000030h]4_2_01634AD0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608AA0 mov eax, dword ptr fs:[00000030h]4_2_01608AA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01608AA0 mov eax, dword ptr fs:[00000030h]4_2_01608AA0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeCode function: 4_2_01656AA4 mov eax, dword ptr fs:[00000030h]4_2_01656AA4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D439FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,6_2_00D439FE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D453F0 SetUnhandledExceptionFilter,6_2_00D453F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D451A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00D451A0
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeNtQueueApcThread: Indirect: 0x147A4F2Jump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeNtClose: Indirect: 0x147A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeMemory written: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeThread register set: target process: 4056Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 4056Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: D40000Jump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeProcess created: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D44ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00D44ACA
          Source: explorer.exe, 00000005.00000003.2271877116.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1364980306.0000000004880000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000002.3769493228.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1363002118.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000002.3769493228.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1363002118.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
          Source: explorer.exe, 00000005.00000000.1362200055.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3768749661.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
          Source: explorer.exe, 00000005.00000002.3769493228.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1363002118.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 6_2_00D426AE GetSystemTimeAsFileTime,6_2_00D426AE
          Source: C:\Users\user\Desktop\Ot7EdLwo881ajbV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected PureLog Stealer
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1363752343.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Ot7EdLwo881ajbV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected PureLog Stealer
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.4f00000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ot7EdLwo881ajbV.exe.343e790.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1363752343.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		512
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services11
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		LSASS Memory231
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		141
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
          Process Injection          		NTDS141
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
          Software Packing          		Proc Filesystem213
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538476 Sample: Ot7EdLwo881ajbV.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 30 www.pon-nacgrz.xyz 2->30 32 www.olicy-yzipy.xyz 2->32 34 10 other IPs or domains 2->34 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 46 9 other signatures 2->46 11 Ot7EdLwo881ajbV.exe 3 2->11         started        signatures3 44 Performs DNS queries to domains with low reputation 32->44 process4 file5 28 C:\Users\user\...\Ot7EdLwo881ajbV.exe.log, ASCII 11->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 11->56 58 Injects a PE file into a foreign processes 11->58 60 Switches to a custom stack to bypass stack traces 11->60 15 Ot7EdLwo881ajbV.exe 11->15         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 2 other signatures 15->68 18 explorer.exe 72 1 15->18 injected process9 signatures10 36 Uses ipconfig to lookup or modify the Windows network settings 18->36 21 ipconfig.exe 18->21         started        process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Reads the DNS cache 21->50 52 Maps a DLL or memory area into another process 21->52 54 2 other signatures 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Ot7EdLwo881ajbV.exe29%ReversingLabsWin32.Trojan.Generic
          Ot7EdLwo881ajbV.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://outlook.com0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.lhakikas.net
          		unknown
          		unknowntrue
            		unknown
            www.olicy-yzipy.xyz
            		unknown
            		unknowntrue
              		unknown
              www.oneydewsolutions.net
              		unknown
              		unknowntrue
                		unknown
                www.iadomus.net
                		unknown
                		unknowntrue
                  		unknown
                  www.alzgroup.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ntalaxlesbabbool.cfd
                    		unknown
                    		unknowntrue
                      		unknown
                      www.pon-nacgrz.xyz
                      		unknown
                      		unknowntrue
                        		unknown
                        www.ypewriter.pro
                        		unknown
                        		unknowntrue
                          		unknown
                          198.187.3.20.in-addr.arpa
                          		unknown
                          		unknowntrue
                            		unknown
                            www.bwuc-ball.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.adgeter.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ieryfiertzframing.cfd
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.ractice-eiddyy.xyz/dr14/true
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.ieryfiertzframing.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.pioux.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 00000005.00000002.3771427420.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winterexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.ractice-eiddyy.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.ltj-democratic.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.lhakikas.net/dr14/www.olicy-yzipy.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://excel.office.comexplorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.ieryfiertzframing.cfdReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.olicy-yzipy.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.ltj-democratic.xyz/dr14/www.onoyekorerolaothoe.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.oneydewsolutions.net/dr14/www.adgeter.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.onoyekorerolaothoe.cfd/dr14/www.test-octopus.clickexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.pon-nacgrz.xyz/dr14/www.ypewriter.proexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.oneydewsolutions.net/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.ypewriter.pro/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.oneydewsolutions.netReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&ocexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.bwuc-ball.xyz/dr14/www.iadomus.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.iadomus.netReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.olicy-yzipy.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://wns.windows.com/explorer.exe, 00000005.00000003.2273487584.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.ractice-eiddyy.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.bwuc-ball.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000003.2272269182.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271807121.000000000C430000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1375956423.000000000C3F7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.iadomus.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://word.office.comexplorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.bwuc-ball.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.onoyekorerolaothoe.cfd/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.adgeter.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://outlook.comexplorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.pon-nacgrz.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.alzgroup.netReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.test-octopus.clickexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.lhakikas.net/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.oneydewsolutions.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.adgeter.xyz/dr14/www.lhakikas.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000005.00000002.3775588613.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271877116.0000000008F83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.bwuc-ball.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.ntalaxlesbabbool.cfd/dr14/www.ltj-democratic.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.alzgroup.net/dr14/www.ieryfiertzframing.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.pioux.xyz/dr14/www.pon-nacgrz.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.olicy-yzipy.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000005.00000002.3775588613.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075191865.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272963365.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1373593359.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://www.onoyekorerolaothoe.cfdReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.ractice-eiddyy.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://www.pollensense.com/explorer.exe, 00000005.00000002.3771427420.00000000071A4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.olicy-yzipy.xyz/dr14/www.pioux.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://schemas.microexplorer.exe, 00000005.00000002.3773443635.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3773414956.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1372069344.0000000007C70000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.ltj-democratic.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.ntalaxlesbabbool.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.pioux.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.lhakikas.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.alzgroup.net/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.pon-nacgrz.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.iadomus.net/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.ractice-eiddyy.xyz/dr14/Pexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.ypewriter.proexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.ieryfiertzframing.cfd/dr14/www.ntalaxlesbabbool.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.ntalaxlesbabbool.cfdReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsmexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.adgeter.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.lhakikas.netReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.ltj-democratic.xyzReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://powerpoint.office.comexplorer.exe, 00000005.00000000.1375956423.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3779271070.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://www.pioux.xyz/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.foreca.comexplorer.exe, 00000005.00000002.3771427420.00000000071A4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.alzgroup.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://www.test-octopus.click/dr14/www.ractice-eiddyy.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.test-octopus.click/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.ieryfiertzframing.cfd/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://www.ypewriter.pro/dr14/www.bwuc-ball.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://www.iadomus.net/dr14/www.alzgroup.netexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.test-octopus.clickReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.adgeter.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.pon-nacgrz.xyzexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://api.msn.com/explorer.exe, 00000005.00000000.1373593359.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://www.ypewriter.proReferer:explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://www.onoyekorerolaothoe.cfdexplorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://www.msn.com:443/en-us/feedexplorer.exe, 00000005.00000002.3771427420.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1365767121.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.ntalaxlesbabbool.cfd/dr14/explorer.exe, 00000005.00000003.2271845822.000000000C544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271390445.000000000C4E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3781630237.000000000C54D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown

                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                No contacted IP infos

                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                Analysis ID:1538476
                                                                                                                                                                                                                Start date and time:2024-10-21 11:28:11 +02:00
                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                Overall analysis duration:0h 10m 44s
                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                Number of analysed new started processes analysed:14
                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                Sample name:Ot7EdLwo881ajbV.exe
                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                Classification:mal100.troj.evad.winEXE@8/1@12/0
                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                • Number of executed functions: 110
                                                                                                                                                                                                                • Number of non-executed functions: 325
                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                • VT rate limit hit for: Ot7EdLwo881ajbV.exe

                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                05:29:18API Interceptor1x Sleep call for process: Ot7EdLwo881ajbV.exe modified
                                                                                                                                                                                                                05:29:28API Interceptor9667077x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                06:33:03API Interceptor8105506x Sleep call for process: ipconfig.exe modified

                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ot7EdLwo881ajbV.exe.log

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe
                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1415
                                                                                                                                                                                                                Entropy (8bit):5.352427679901606
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                                                                                                                                                                MD5:97AD91F1C1F572C945DA12233082171D
                                                                                                                                                                                                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                                                                                                                                                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                                                                                                                                                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                Entropy (8bit):7.96317591736399
                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                File name:Ot7EdLwo881ajbV.exe
                                                                                                                                                                                                                File size:632'320 bytes
                                                                                                                                                                                                                MD5:f99cdd71043a75d4fe553fb39de6d3e5
                                                                                                                                                                                                                SHA1:28d123dd5f049724ec34cea59a73fb7385b3f904
                                                                                                                                                                                                                SHA256:356dd4d1abe930b8189e5d5a1870c6a70236a12db73b24c19d0e461056c15dfa
                                                                                                                                                                                                                SHA512:08cd7223a4019ed691c67e3c93fa7852842235108baaeb21e2ffb14426b0cfd35086ffb7542f675d863a937601f1f8cd1a11ca1f3ef908dd879e445dcee94956
                                                                                                                                                                                                                SSDEEP:12288:jfAcXkhMOoltiJ5i/6Ob/Bc1WsML0oORqYQb7Z4TwmlKfKPH1fG0Q4bXtk+yE:pkh5oDiJ5i/6ObZcpMnnYQvZo8fKdf/T
                                                                                                                                                                                                                TLSH:D2D4229A75684F1BCAFDA3F68073986007B734110463DB442ECAA0E766B7F099B11F5A
                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                Icon Hash:070b2365ecc8682b

                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Entrypoint:0x49a4d2
                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                Time Stamp:0x6715B8FF [Mon Oct 21 02:14:23 2024 UTC]
                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add dword ptr [eax], eax
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add al, byte ptr [eax]
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add eax, dword ptr [eax]
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add al, 00h
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add eax, 06000000h
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [edi], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9a4800x4f.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x1aac.rsrc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x98b3c0x54.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                .text0x20000x984f80x986006dc59d903612e8b3c7746ce80e7846a9False0.9715186628383922data7.971068803283514IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .rsrc0x9c0000x1aac0x1c00365b6e5fc189bc693db55b68b21bcc3aFalse0.8443080357142857data7.146793479177449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .reloc0x9e0000xc0x2001c13b70260b3c31a66e77d8ebfb3f953False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                RT_ICON0x9c0c80x16a5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9608418147317578
                                                                                                                                                                                                                RT_GROUP_ICON0x9d7800x14data1.05
                                                                                                                                                                                                                RT_VERSION0x9d7a40x304data0.44430051813471505

                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                Oct 21, 2024 11:29:50.860541105 CEST5361861162.159.36.2192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:29:51.483799934 CEST6438053192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:29:51.496952057 CEST53643801.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:29:57.071113110 CEST6254753192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:29:57.081002951 CEST53625471.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:30:16.461123943 CEST6533953192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:30:16.470148087 CEST53653391.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:30:36.405399084 CEST6029153192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:30:36.437582016 CEST53602911.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:30:57.487634897 CEST4981153192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:30:57.500143051 CEST53498111.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:31:38.403954029 CEST5487553192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:31:38.417784929 CEST53548751.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:31:58.852592945 CEST5195753192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:31:58.862392902 CEST53519571.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:32:19.445097923 CEST5935453192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:32:19.464878082 CEST53593541.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:32:39.828530073 CEST5071253192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:32:39.840034962 CEST53507121.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:33:00.328196049 CEST5661853192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:33:00.371109009 CEST53566181.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:33:20.760128975 CEST6234153192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:33:20.769387960 CEST53623411.1.1.1192.168.2.7
                                                                                                                                                                                                                Oct 21, 2024 11:33:42.368170023 CEST5010353192.168.2.71.1.1.1
                                                                                                                                                                                                                Oct 21, 2024 11:33:42.377676964 CEST53501031.1.1.1192.168.2.7

                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                Oct 21, 2024 11:29:51.483799934 CEST192.168.2.71.1.1.10x5e74Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:29:57.071113110 CEST192.168.2.71.1.1.10x1559Standard query (0)www.oneydewsolutions.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:16.461123943 CEST192.168.2.71.1.1.10x41daStandard query (0)www.adgeter.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:36.405399084 CEST192.168.2.71.1.1.10x5314Standard query (0)www.lhakikas.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:57.487634897 CEST192.168.2.71.1.1.10x80c9Standard query (0)www.olicy-yzipy.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:31:38.403954029 CEST192.168.2.71.1.1.10x8319Standard query (0)www.pon-nacgrz.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:31:58.852592945 CEST192.168.2.71.1.1.10xd666Standard query (0)www.ypewriter.proA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:32:19.445097923 CEST192.168.2.71.1.1.10xeb8dStandard query (0)www.bwuc-ball.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:32:39.828530073 CEST192.168.2.71.1.1.10x273dStandard query (0)www.iadomus.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:00.328196049 CEST192.168.2.71.1.1.10xc1bfStandard query (0)www.alzgroup.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:20.760128975 CEST192.168.2.71.1.1.10x5adfStandard query (0)www.ieryfiertzframing.cfdA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:42.368170023 CEST192.168.2.71.1.1.10x2660Standard query (0)www.ntalaxlesbabbool.cfdA (IP address)IN (0x0001)false

                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                Oct 21, 2024 11:29:51.496952057 CEST1.1.1.1192.168.2.70x5e74Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:29:57.081002951 CEST1.1.1.1192.168.2.70x1559Name error (3)www.oneydewsolutions.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:16.470148087 CEST1.1.1.1192.168.2.70x41daName error (3)www.adgeter.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:36.437582016 CEST1.1.1.1192.168.2.70x5314Name error (3)www.lhakikas.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:30:57.500143051 CEST1.1.1.1192.168.2.70x80c9Name error (3)www.olicy-yzipy.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:31:38.417784929 CEST1.1.1.1192.168.2.70x8319Name error (3)www.pon-nacgrz.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:31:58.862392902 CEST1.1.1.1192.168.2.70xd666Name error (3)www.ypewriter.prononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:32:19.464878082 CEST1.1.1.1192.168.2.70xeb8dName error (3)www.bwuc-ball.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:32:39.840034962 CEST1.1.1.1192.168.2.70x273dName error (3)www.iadomus.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:00.371109009 CEST1.1.1.1192.168.2.70xc1bfName error (3)www.alzgroup.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:20.769387960 CEST1.1.1.1192.168.2.70x5adfName error (3)www.ieryfiertzframing.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                Oct 21, 2024 11:33:42.377676964 CEST1.1.1.1192.168.2.70x2660Name error (3)www.ntalaxlesbabbool.cfdnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                Start time:05:29:14
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
                                                                                                                                                                                                                Imagebase:0x100000
                                                                                                                                                                                                                File size:632'320 bytes
                                                                                                                                                                                                                MD5 hash:F99CDD71043A75D4FE553FB39DE6D3E5
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1363752343.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1361586111.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                Start time:05:29:20
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
                                                                                                                                                                                                                Imagebase:0x9b0000
                                                                                                                                                                                                                File size:632'320 bytes
                                                                                                                                                                                                                MD5 hash:F99CDD71043A75D4FE553FB39DE6D3E5
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                Start time:05:29:20
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                Imagebase:0x7ff70ffd0000
                                                                                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                Start time:05:29:23
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                                                                                                                                                                                                                Imagebase:0xd40000
                                                                                                                                                                                                                File size:29'184 bytes
                                                                                                                                                                                                                MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3769161456.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3769205652.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                Start time:05:29:26
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:/c del "C:\Users\user\Desktop\Ot7EdLwo881ajbV.exe"
                                                                                                                                                                                                                Imagebase:0x410000
                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                Start time:05:29:26
                                                                                                                                                                                                                Start date:21/10/2024
                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:9.5%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:207
                                                                                                                                                                                                                  Total number of Limit Nodes:13
                                                                                                                                                                                                                  execution_graph 24100 2284668 24101 228467a 24100->24101 24102 2284686 24101->24102 24104 2284778 24101->24104 24105 228479d 24104->24105 24109 2284878 24105->24109 24113 2284888 24105->24113 24111 22848af 24109->24111 24110 228498c 24110->24110 24111->24110 24117 22844b0 24111->24117 24115 22848af 24113->24115 24114 228498c 24114->24114 24115->24114 24116 22844b0 CreateActCtxA 24115->24116 24116->24114 24118 2285918 CreateActCtxA 24117->24118 24120 22859db 24118->24120 24142 228d5c8 DuplicateHandle 24143 228d65e 24142->24143 24156 69c9b2b 24157 69c9b50 24156->24157 24161 69ca3e8 24156->24161 24181 69ca3f8 24156->24181 24201 69ca45e 24156->24201 24162 69ca412 24161->24162 24222 69ca7de 24162->24222 24227 69cac80 24162->24227 24232 69cb0a6 24162->24232 24237 69cb2c6 24162->24237 24242 69ca9e5 24162->24242 24247 69cacc4 24162->24247 24252 69cad4b 24162->24252 24259 69cabef 24162->24259 24266 69ca7ef 24162->24266 24271 69caa4e 24162->24271 24276 69cafed 24162->24276 24284 69cabac 24162->24284 24289 69caa6c 24162->24289 24294 69cacb1 24162->24294 24299 69cab37 24162->24299 24304 69caab4 24162->24304 24309 69caade 24162->24309 24163 69ca41a 24163->24157 24182 69ca412 24181->24182 24184 69ca7de 2 API calls 24182->24184 24185 69caade 2 API calls 24182->24185 24186 69caab4 2 API calls 24182->24186 24187 69cab37 2 API calls 24182->24187 24188 69cacb1 2 API calls 24182->24188 24189 69caa6c 2 API calls 24182->24189 24190 69cabac 2 API calls 24182->24190 24191 69cafed 2 API calls 24182->24191 24192 69caa4e 2 API calls 24182->24192 24193 69ca7ef 2 API calls 24182->24193 24194 69cabef 2 API calls 24182->24194 24195 69cad4b 4 API calls 24182->24195 24196 69cacc4 2 API calls 24182->24196 24197 69ca9e5 2 API calls 24182->24197 24198 69cb2c6 2 API calls 24182->24198 24199 69cb0a6 2 API calls 24182->24199 24200 69cac80 2 API calls 24182->24200 24183 69ca41a 24183->24157 24184->24183 24185->24183 24186->24183 24187->24183 24188->24183 24189->24183 24190->24183 24191->24183 24192->24183 24193->24183 24194->24183 24195->24183 24196->24183 24197->24183 24198->24183 24199->24183 24200->24183 24202 69ca3ec 24201->24202 24204 69ca461 24201->24204 24205 69ca7de 2 API calls 24202->24205 24206 69caade 2 API calls 24202->24206 24207 69caab4 2 API calls 24202->24207 24208 69cab37 2 API calls 24202->24208 24209 69cacb1 2 API calls 24202->24209 24210 69caa6c 2 API calls 24202->24210 24211 69cabac 2 API calls 24202->24211 24212 69cafed 2 API calls 24202->24212 24213 69caa4e 2 API calls 24202->24213 24214 69ca7ef 2 API calls 24202->24214 24215 69cabef 2 API calls 24202->24215 24216 69cad4b 4 API calls 24202->24216 24217 69cacc4 2 API calls 24202->24217 24218 69ca9e5 2 API calls 24202->24218 24219 69cb2c6 2 API calls 24202->24219 24220 69cb0a6 2 API calls 24202->24220 24221 69cac80 2 API calls 24202->24221 24203 69ca41a 24203->24157 24205->24203 24206->24203 24207->24203 24208->24203 24209->24203 24210->24203 24211->24203 24212->24203 24213->24203 24214->24203 24215->24203 24216->24203 24217->24203 24218->24203 24219->24203 24220->24203 24221->24203 24223 69ca7e2 24222->24223 24314 69c9594 24223->24314 24318 69c95a0 24223->24318 24228 69cabd0 24227->24228 24228->24227 24229 69ca8fc 24228->24229 24322 69c9178 24228->24322 24326 69c9180 24228->24326 24229->24163 24233 69cb0ac 24232->24233 24330 69c90ca 24233->24330 24334 69c90d0 24233->24334 24234 69cac9e 24234->24163 24238 69ca7e2 24237->24238 24240 69c9594 CreateProcessA 24238->24240 24241 69c95a0 CreateProcessA 24238->24241 24239 69ca8a9 24239->24163 24240->24239 24241->24239 24243 69caa0e 24242->24243 24338 69c9318 24243->24338 24342 69c9310 24243->24342 24244 69caa2f 24244->24163 24248 69caaf5 24247->24248 24248->24163 24249 69cb18c 24248->24249 24346 69c9408 24248->24346 24350 69c9400 24248->24350 24249->24163 24257 69c9178 Wow64SetThreadContext 24252->24257 24258 69c9180 Wow64SetThreadContext 24252->24258 24253 69caa65 24253->24163 24254 69cb18c 24253->24254 24255 69c9408 ReadProcessMemory 24253->24255 24256 69c9400 ReadProcessMemory 24253->24256 24254->24163 24255->24253 24256->24253 24257->24253 24258->24253 24260 69cabd0 24259->24260 24262 69c9178 Wow64SetThreadContext 24259->24262 24263 69c9180 Wow64SetThreadContext 24259->24263 24261 69ca8fc 24260->24261 24264 69c9178 Wow64SetThreadContext 24260->24264 24265 69c9180 Wow64SetThreadContext 24260->24265 24261->24163 24262->24260 24263->24260 24264->24260 24265->24260 24267 69ca7e2 24266->24267 24269 69c9594 CreateProcessA 24267->24269 24270 69c95a0 CreateProcessA 24267->24270 24268 69ca8a9 24268->24163 24269->24268 24270->24268 24272 69caa54 24271->24272 24272->24163 24273 69cb18c 24272->24273 24274 69c9408 ReadProcessMemory 24272->24274 24275 69c9400 ReadProcessMemory 24272->24275 24273->24163 24274->24272 24275->24272 24277 69caff3 24276->24277 24280 69c9408 ReadProcessMemory 24277->24280 24281 69c9400 ReadProcessMemory 24277->24281 24278 69caf65 24278->24163 24279 69cb18c 24278->24279 24282 69c9408 ReadProcessMemory 24278->24282 24283 69c9400 ReadProcessMemory 24278->24283 24279->24163 24280->24278 24281->24278 24282->24278 24283->24278 24285 69cabb1 24284->24285 24286 69cac9e 24285->24286 24287 69c90ca ResumeThread 24285->24287 24288 69c90d0 ResumeThread 24285->24288 24286->24163 24287->24286 24288->24286 24290 69caa7e 24289->24290 24354 69c9258 24290->24354 24358 69c9250 24290->24358 24291 69cadcb 24291->24163 24295 69caa0e 24294->24295 24296 69caa2f 24294->24296 24297 69c9318 WriteProcessMemory 24295->24297 24298 69c9310 WriteProcessMemory 24295->24298 24296->24163 24297->24296 24298->24296 24300 69cab5a 24299->24300 24302 69c9318 WriteProcessMemory 24300->24302 24303 69c9310 WriteProcessMemory 24300->24303 24301 69cac6c 24301->24163 24302->24301 24303->24301 24305 69caac6 24304->24305 24307 69c9318 WriteProcessMemory 24305->24307 24308 69c9310 WriteProcessMemory 24305->24308 24306 69cb257 24307->24306 24308->24306 24310 69caae4 24309->24310 24310->24163 24311 69cb18c 24310->24311 24312 69c9408 ReadProcessMemory 24310->24312 24313 69c9400 ReadProcessMemory 24310->24313 24311->24163 24312->24310 24313->24310 24315 69c9629 CreateProcessA 24314->24315 24317 69c97eb 24315->24317 24317->24317 24319 69c9629 CreateProcessA 24318->24319 24321 69c97eb 24319->24321 24321->24321 24323 69c91c5 Wow64SetThreadContext 24322->24323 24325 69c920d 24323->24325 24325->24228 24327 69c91c5 Wow64SetThreadContext 24326->24327 24329 69c920d 24327->24329 24329->24228 24331 69c9110 ResumeThread 24330->24331 24333 69c9141 24331->24333 24333->24234 24335 69c9110 ResumeThread 24334->24335 24337 69c9141 24335->24337 24337->24234 24339 69c9360 WriteProcessMemory 24338->24339 24341 69c93b7 24339->24341 24341->24244 24343 69c9318 WriteProcessMemory 24342->24343 24345 69c93b7 24343->24345 24345->24244 24347 69c9453 ReadProcessMemory 24346->24347 24349 69c9497 24347->24349 24349->24248 24351 69c9408 ReadProcessMemory 24350->24351 24353 69c9497 24351->24353 24353->24248 24355 69c9298 VirtualAllocEx 24354->24355 24357 69c92d5 24355->24357 24357->24291 24359 69c9298 VirtualAllocEx 24358->24359 24361 69c92d5 24359->24361 24361->24291 24121 228aff0 24122 228afff 24121->24122 24125 228b0e8 24121->24125 24130 228b0d8 24121->24130 24127 228b11c 24125->24127 24129 228b0f9 24125->24129 24126 228b320 GetModuleHandleW 24128 228b34d 24126->24128 24127->24122 24128->24122 24129->24126 24129->24127 24131 228b0f9 24130->24131 24132 228b11c 24130->24132 24131->24132 24133 228b320 GetModuleHandleW 24131->24133 24132->24122 24134 228b34d 24133->24134 24134->24122 24144 228d380 24145 228d3c6 GetCurrentProcess 24144->24145 24147 228d418 GetCurrentThread 24145->24147 24148 228d411 24145->24148 24149 228d44e 24147->24149 24150 228d455 GetCurrentProcess 24147->24150 24148->24147 24149->24150 24151 228d48b 24150->24151 24152 228d4b3 GetCurrentThreadId 24151->24152 24153 228d4e4 24152->24153 24135 69cb580 24136 69cb5a6 24135->24136 24137 69cb70b 24135->24137 24136->24137 24139 69c7980 24136->24139 24140 69cb800 PostMessageW 24139->24140 24141 69cb86c 24140->24141 24141->24136 24154 69ce330 CloseHandle 24155 69ce397 24154->24155

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 0228D370 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 294 228d370-228d40f GetCurrentProcess 298 228d418-228d44c GetCurrentThread 294->298 299 228d411-228d417 294->299 300 228d44e-228d454 298->300 301 228d455-228d489 GetCurrentProcess 298->301 299->298 300->301 302 228d48b-228d491 301->302 303 228d492-228d4ad call 228d552 301->303 302->303 307 228d4b3-228d4e2 GetCurrentThreadId 303->307 308 228d4eb-228d54d 307->308 309 228d4e4-228d4ea 307->309 309->308
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0228D3FE
                                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0228D43B
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0228D478
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0228D4D1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                                                                  • Opcode ID: 03f8cd3db538dbe47a6160ca820dfa9dd09986dccf4cdf81647cf68f674899be
                                                                                                                                                                                                                  • Instruction ID: b8c2f128b482e1d4b601ea9e5bac90e050112ec3d3136eabf6b2ad0fa7be3716
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03f8cd3db538dbe47a6160ca820dfa9dd09986dccf4cdf81647cf68f674899be
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 905178B09013098FEB14EFAAD548B9EBBF1EB48314F208069D419A7390DB34AD49CF61
                                                                                                                                                                                                                  Function 0228D380 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 316 228d380-228d40f GetCurrentProcess 320 228d418-228d44c GetCurrentThread 316->320 321 228d411-228d417 316->321 322 228d44e-228d454 320->322 323 228d455-228d489 GetCurrentProcess 320->323 321->320 322->323 324 228d48b-228d491 323->324 325 228d492-228d4ad call 228d552 323->325 324->325 329 228d4b3-228d4e2 GetCurrentThreadId 325->329 330 228d4eb-228d54d 329->330 331 228d4e4-228d4ea 329->331 331->330
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0228D3FE
                                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0228D43B
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0228D478
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0228D4D1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                                                                  • Opcode ID: f798db05cb9ac48bcb0be03c133cb120dd4d639355ac197f32922ea70dba5d25
                                                                                                                                                                                                                  • Instruction ID: c2794835bf6e6778beda4b7a0112264ca6288b47b132e0b09bd93468471d6551
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f798db05cb9ac48bcb0be03c133cb120dd4d639355ac197f32922ea70dba5d25
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 295167B09013098FEB14EFAAD548B9EBBF1EB48314F208069D419A7390DB34AC49CF61
                                                                                                                                                                                                                  Function 069C9594 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 406 69c9594-69c9635 408 69c966e-69c968e 406->408 409 69c9637-69c9641 406->409 416 69c96c7-69c96f6 408->416 417 69c9690-69c969a 408->417 409->408 410 69c9643-69c9645 409->410 411 69c9668-69c966b 410->411 412 69c9647-69c9651 410->412 411->408 414 69c9655-69c9664 412->414 415 69c9653 412->415 414->414 418 69c9666 414->418 415->414 423 69c972f-69c97e9 CreateProcessA 416->423 424 69c96f8-69c9702 416->424 417->416 419 69c969c-69c969e 417->419 418->411 421 69c96a0-69c96aa 419->421 422 69c96c1-69c96c4 419->422 425 69c96ac 421->425 426 69c96ae-69c96bd 421->426 422->416 437 69c97eb-69c97f1 423->437 438 69c97f2-69c9878 423->438 424->423 428 69c9704-69c9706 424->428 425->426 426->426 427 69c96bf 426->427 427->422 429 69c9708-69c9712 428->429 430 69c9729-69c972c 428->430 432 69c9714 429->432 433 69c9716-69c9725 429->433 430->423 432->433 433->433 435 69c9727 433->435 435->430 437->438 448 69c9888-69c988c 438->448 449 69c987a-69c987e 438->449 451 69c989c-69c98a0 448->451 452 69c988e-69c9892 448->452 449->448 450 69c9880 449->450 450->448 454 69c98b0-69c98b4 451->454 455 69c98a2-69c98a6 451->455 452->451 453 69c9894 452->453 453->451 457 69c98c6-69c98cd 454->457 458 69c98b6-69c98bc 454->458 455->454 456 69c98a8 455->456 456->454 459 69c98cf-69c98de 457->459 460 69c98e4 457->460 458->457 459->460 462 69c98e5 460->462 462->462
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069C97D6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                                                  • Opcode ID: 5e5f19eb00611b5a07844a41c9683a4879b136651dca13f1977f6252a7de223c
                                                                                                                                                                                                                  • Instruction ID: 9a0dedb0936f7d794a1f3d9e88525f03abfd62cf6a8c65f98f5ddbd895390557
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e5f19eb00611b5a07844a41c9683a4879b136651dca13f1977f6252a7de223c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CA17D71D00719CFEB64DFA8C841BEDBBB6BF44314F1485A9E808A7280DB759985CF92
                                                                                                                                                                                                                  Function 069C95A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 463 69c95a0-69c9635 465 69c966e-69c968e 463->465 466 69c9637-69c9641 463->466 473 69c96c7-69c96f6 465->473 474 69c9690-69c969a 465->474 466->465 467 69c9643-69c9645 466->467 468 69c9668-69c966b 467->468 469 69c9647-69c9651 467->469 468->465 471 69c9655-69c9664 469->471 472 69c9653 469->472 471->471 475 69c9666 471->475 472->471 480 69c972f-69c97e9 CreateProcessA 473->480 481 69c96f8-69c9702 473->481 474->473 476 69c969c-69c969e 474->476 475->468 478 69c96a0-69c96aa 476->478 479 69c96c1-69c96c4 476->479 482 69c96ac 478->482 483 69c96ae-69c96bd 478->483 479->473 494 69c97eb-69c97f1 480->494 495 69c97f2-69c9878 480->495 481->480 485 69c9704-69c9706 481->485 482->483 483->483 484 69c96bf 483->484 484->479 486 69c9708-69c9712 485->486 487 69c9729-69c972c 485->487 489 69c9714 486->489 490 69c9716-69c9725 486->490 487->480 489->490 490->490 492 69c9727 490->492 492->487 494->495 505 69c9888-69c988c 495->505 506 69c987a-69c987e 495->506 508 69c989c-69c98a0 505->508 509 69c988e-69c9892 505->509 506->505 507 69c9880 506->507 507->505 511 69c98b0-69c98b4 508->511 512 69c98a2-69c98a6 508->512 509->508 510 69c9894 509->510 510->508 514 69c98c6-69c98cd 511->514 515 69c98b6-69c98bc 511->515 512->511 513 69c98a8 512->513 513->511 516 69c98cf-69c98de 514->516 517 69c98e4 514->517 515->514 516->517 519 69c98e5 517->519 519->519
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069C97D6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                                                  • Opcode ID: 412cae8eabc274ad3df201aff4c0ea9afb97a37f26b65f2e17f8bb86ca4ffb75
                                                                                                                                                                                                                  • Instruction ID: 726324657bff1fc90b11e83f607828df7cc2684ede01b2a946f4be8998fe4c4f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 412cae8eabc274ad3df201aff4c0ea9afb97a37f26b65f2e17f8bb86ca4ffb75
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17918E71D00719CFEB64DFA8C840BEDBBB6BF44310F1485A9E808A7280DB759985CF92
                                                                                                                                                                                                                  Function 0228B0E8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 520 228b0e8-228b0f7 521 228b0f9-228b106 call 2289b54 520->521 522 228b123-228b127 520->522 527 228b108 521->527 528 228b11c 521->528 523 228b129-228b133 522->523 524 228b13b-228b17c 522->524 523->524 531 228b189-228b197 524->531 532 228b17e-228b186 524->532 578 228b10e call 228b370 527->578 579 228b10e call 228b380 527->579 528->522 534 228b199-228b19e 531->534 535 228b1bb-228b1bd 531->535 532->531 533 228b114-228b116 533->528 538 228b258-228b276 533->538 536 228b1a9 534->536 537 228b1a0-228b1a7 call 228ad50 534->537 539 228b1c0-228b1c7 535->539 541 228b1ab-228b1b9 536->541 537->541 553 228b279-228b27f 538->553 542 228b1c9-228b1d1 539->542 543 228b1d4-228b1db 539->543 541->539 542->543 545 228b1e8-228b1f1 call 228ad60 543->545 546 228b1dd-228b1e5 543->546 551 228b1fe-228b203 545->551 552 228b1f3-228b1fb 545->552 546->545 554 228b221-228b225 551->554 555 228b205-228b20c 551->555 552->551 559 228b280-228b2d0 553->559 560 228b2d1-228b318 553->560 580 228b228 call 228b670 554->580 581 228b228 call 228b680 554->581 555->554 556 228b20e-228b21e call 228ad70 call 228ad80 555->556 556->554 559->553 559->560 562 228b31a-228b31d 560->562 563 228b320-228b34b GetModuleHandleW 560->563 561 228b22b-228b22e 565 228b230-228b24e 561->565 566 228b251-228b257 561->566 562->563 568 228b34d-228b353 563->568 569 228b354-228b368 563->569 565->566 568->569 578->533 579->533 580->561 581->561
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0228B33E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: 26f93b20cf5a82b711f16d86ba044eb425f60153909f39b15935976619a86dec
                                                                                                                                                                                                                  • Instruction ID: 98297828c61eee05db7c8a585f77552ed728d8abbbcf4b4ab2c7acf0e5df6af7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26f93b20cf5a82b711f16d86ba044eb425f60153909f39b15935976619a86dec
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30816B70A11B058FDB24EF69D45076ABBF1FF88308F008A2DD446DBA94DB75E849CB91
                                                                                                                                                                                                                  Function 0228590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 690 228590c-22859d9 CreateActCtxA 692 22859db-22859e1 690->692 693 22859e2-2285a3c 690->693 692->693 700 2285a4b-2285a4f 693->700 701 2285a3e-2285a41 693->701 702 2285a60 700->702 703 2285a51-2285a5d 700->703 701->700 705 2285a61 702->705 703->702 705->705
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 022859C9
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: b9b9a87c19ce06509a5bee99fb0ccb0d179a87d579374393cc3be5af78c85638
                                                                                                                                                                                                                  • Instruction ID: 57a28945c557c771454eb3d2a5c0edf72aa165b0ab09b1c90de159f2c4880885
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9b9a87c19ce06509a5bee99fb0ccb0d179a87d579374393cc3be5af78c85638
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4641F171C01719CBEB24DFA9C884BCEBBF1BF49304F60816AD408AB255DB75694ACF90
                                                                                                                                                                                                                  Function 022844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 706 22844b0-22859d9 CreateActCtxA 709 22859db-22859e1 706->709 710 22859e2-2285a3c 706->710 709->710 717 2285a4b-2285a4f 710->717 718 2285a3e-2285a41 710->718 719 2285a60 717->719 720 2285a51-2285a5d 717->720 718->717 722 2285a61 719->722 720->719 722->722
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 022859C9
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: 4a34b36f11297c8f426c9cd11dea82c81d2f6a0132c945c518f2ecf6512f942c
                                                                                                                                                                                                                  • Instruction ID: 1e80be1641d98b516a8695f57637be50e7c46924e624b33bf994289f69c9fc8b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a34b36f11297c8f426c9cd11dea82c81d2f6a0132c945c518f2ecf6512f942c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E341F270C1171DCBEB24DFA9C884B8EBBF5BF49304F60816AD408AB255DB75A946CF90
                                                                                                                                                                                                                  Function 069C9310 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 723 69c9310-69c9366 726 69c9368-69c9374 723->726 727 69c9376-69c93b5 WriteProcessMemory 723->727 726->727 729 69c93be-69c93ee 727->729 730 69c93b7-69c93bd 727->730 730->729
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069C93A8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                                  • Opcode ID: b55343d157747b5bd6a7050926d68574d223453938f44fad4d0642f4056a6ea2
                                                                                                                                                                                                                  • Instruction ID: 299539fa1268f6caf10cad73935a2dffc47370e52963df263cff5d38e8e17517
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b55343d157747b5bd6a7050926d68574d223453938f44fad4d0642f4056a6ea2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89214475D003099FDB10DFAAC885BDEBBF5FF48320F50842AE919A7280D7799901CBA0
                                                                                                                                                                                                                  Function 069C9318 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 734 69c9318-69c9366 736 69c9368-69c9374 734->736 737 69c9376-69c93b5 WriteProcessMemory 734->737 736->737 739 69c93be-69c93ee 737->739 740 69c93b7-69c93bd 737->740 740->739
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069C93A8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                                                  • Opcode ID: d826a63a97cfef7a4eb8e568497ce392b44cfa329bf37afa817f3848a32fa774
                                                                                                                                                                                                                  • Instruction ID: 05ce65965722b98883b114af16e479708df30fc131ce4bcd832c85ac23cdb8c4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d826a63a97cfef7a4eb8e568497ce392b44cfa329bf37afa817f3848a32fa774
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B214471D003099FDB10CFAAC881BDEBBF5FF48320F50842AE919A7280C7799941CBA1
                                                                                                                                                                                                                  Function 069C9400 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 754 69c9400-69c9495 ReadProcessMemory 758 69c949e-69c94ce 754->758 759 69c9497-69c949d 754->759 759->758
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069C9488
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                                                                                  • Opcode ID: 9e575566276d9babad74d053dea051d400155970868b2888fa25606825ecb8bd
                                                                                                                                                                                                                  • Instruction ID: 0ef5f8770588d2603d39c9af515b285154ee31be01aca76bfff605f07e48cdf7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e575566276d9babad74d053dea051d400155970868b2888fa25606825ecb8bd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29212671C003099FDB10DFAAC841BDEBBF5FF48320F548529E929A7650C7759901CBA4
                                                                                                                                                                                                                  Function 069C9178 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 744 69c9178-69c91cb 746 69c91cd-69c91d9 744->746 747 69c91db-69c920b Wow64SetThreadContext 744->747 746->747 749 69c920d-69c9213 747->749 750 69c9214-69c9244 747->750 749->750
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069C91FE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                                  • Opcode ID: 566a18caf4a29a0e6be2aa1b63934566b36eb0c63f3d883838948ca94bc6d5a4
                                                                                                                                                                                                                  • Instruction ID: 1570311fd625de45b2daa6946115c842d2206e02e5adcaf77272ed64ccd62f1b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 566a18caf4a29a0e6be2aa1b63934566b36eb0c63f3d883838948ca94bc6d5a4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E213671D003098FDB14DFAAC4857EEBBF4AB48324F54842ED459A7240CB789946CFA1
                                                                                                                                                                                                                  Function 0228D5C2 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228D64F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                  • Opcode ID: 34a41531348bb674be7637f48978cc7746f20138f518f84a9aafbc5e015e5ae0
                                                                                                                                                                                                                  • Instruction ID: 7fbea3f15bdd612d985ba655912a5dc0c33957ec9a4c67e6d32cef95e691e861
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34a41531348bb674be7637f48978cc7746f20138f518f84a9aafbc5e015e5ae0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8621E4B5D012099FDB10CFAAD985ADEBBF4EB48324F14801AE918A7350D379A945CFA0
                                                                                                                                                                                                                  Function 069C9408 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069C9488
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                                                                                  • Opcode ID: 603dede953f9679cc8d06b00048819b5ea92c22f77236c22b3d2fc3e1d1fcab4
                                                                                                                                                                                                                  • Instruction ID: 92d54a1e87b1759ccded32ced4fea433c8a22395e9d799b8d6fcded5d1ac9f29
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 603dede953f9679cc8d06b00048819b5ea92c22f77236c22b3d2fc3e1d1fcab4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10211471C003599FDB10DFAAC881BEEBBF5FF48320F50842AE919A7640C7799901CBA5
                                                                                                                                                                                                                  Function 069C9180 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069C91FE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                                                  • Opcode ID: 111e33fec930187ce9a7865d04f226449ad408041d1ff20f10149e992e7e05d7
                                                                                                                                                                                                                  • Instruction ID: 68d72018d2fb2c982a9f85f3666920dbdf774be7ed5b3dce85b1ad3291c93159
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 111e33fec930187ce9a7865d04f226449ad408041d1ff20f10149e992e7e05d7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58213571D003098FDB10DFAAC885BAEBBF4EF48324F54842ED859A7640CB789945CFA5
                                                                                                                                                                                                                  Function 0228D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228D64F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                  • Opcode ID: 8119e4286e7d3bf4eb2b0dcf2c2f7e892c175f482ce2ee3a2c733349ef1c2daa
                                                                                                                                                                                                                  • Instruction ID: a3c8c0daf0e21d77dfb31efe83d86365e0277488b4c8658f893582beb85697d4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8119e4286e7d3bf4eb2b0dcf2c2f7e892c175f482ce2ee3a2c733349ef1c2daa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E21E4B5D002099FDB10CFAAD984ADEBBF8EB48314F14801AE918A3350D379A944CFA4
                                                                                                                                                                                                                  Function 069C9250 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069C92C6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                  • Opcode ID: 4966800ca6dd68db487aeb6081b43b9893e1f17ed3175a8edbf6af67b3a392c0
                                                                                                                                                                                                                  • Instruction ID: 25ab53ae13eedc52ed345174d81d110e4121e90b55b937811b847e8dee319abc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4966800ca6dd68db487aeb6081b43b9893e1f17ed3175a8edbf6af67b3a392c0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D114776C002098FDB20DFA9D845BDEBBF5EB48320F248519E519A7650C7359901CF90
                                                                                                                                                                                                                  Function 069C9258 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069C92C6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                  • Opcode ID: 178f803be04f1053de061a350de9f3d4feac2f614dc030120e197cb022e66d66
                                                                                                                                                                                                                  • Instruction ID: 4ba7a00ce3c5f315a56af9cb180ce6c1d1edb8337957c7b2e85bbd71291b4d5b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 178f803be04f1053de061a350de9f3d4feac2f614dc030120e197cb022e66d66
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C115671C003098FDB20DFAAC844BDEBBF5EB48320F508419E519A7650CB35A901CFA0
                                                                                                                                                                                                                  Function 069C90CA Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                                                  • Opcode ID: c3167b7a2597f3cf86f34e5305cf9000b0457fd2decb6d569549c6e460d2ae02
                                                                                                                                                                                                                  • Instruction ID: ade656db49b42166a4d5e1f6bdc52d66a213b4e3eb8f92aad5142eaa687806db
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3167b7a2597f3cf86f34e5305cf9000b0457fd2decb6d569549c6e460d2ae02
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7114671C003488FDB24DFAAC4467EEFBF4EB88324F60841ED419A7640CA356902CF94
                                                                                                                                                                                                                  Function 069C90D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                                                  • Opcode ID: 953a7cab731d1f62b222bcb714a4584bc098b246b916091cd9bc8a013b38c587
                                                                                                                                                                                                                  • Instruction ID: 68b70c9153f0c75862a40f88753fe46bb9d27529f8b38c33817c2e985887c7c7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 953a7cab731d1f62b222bcb714a4584bc098b246b916091cd9bc8a013b38c587
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8115871C003488FDB20DFAAC84579EFBF8AB48324F608419D419A7640CA356901CFA4
                                                                                                                                                                                                                  Function 069CB7F8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CB85D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                  • Opcode ID: 2bee87b7da7cbee110f566e443ab90112d705a123dbc84407fbb0b71e771cc5d
                                                                                                                                                                                                                  • Instruction ID: 71f68cbb3fa074b3751fa924bd4a2f3ad2dfbb813e2da37d3d91e3787a1faf49
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bee87b7da7cbee110f566e443ab90112d705a123dbc84407fbb0b71e771cc5d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B311E3B58003499FDB10DF99D486BDEBFF8EB48324F20841AE519A7610C375A545CFA1
                                                                                                                                                                                                                  Function 0228B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0228B33E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: 5452379007f13de81593819577f17049714dcf261aaba897851f0afa95bca6a6
                                                                                                                                                                                                                  • Instruction ID: da3390d4d50e1d6b44d0fca5538d76105124c3e9f29da68e48bb5106325b2b0f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5452379007f13de81593819577f17049714dcf261aaba897851f0afa95bca6a6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F51110B6C003498FDB20DF9AC444BDEFBF4EB88328F10842AD429A7250C379A545CFA1
                                                                                                                                                                                                                  Function 069C7980 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CB85D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                  • Opcode ID: 09720fd617063505a08b40789c4d60300473112883776ca758320fcdc6f2a2d6
                                                                                                                                                                                                                  • Instruction ID: a492479e51109abc5fee4df3fb179bbfdc0bfc92502797e420f884c59dc89994
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09720fd617063505a08b40789c4d60300473112883776ca758320fcdc6f2a2d6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B81103B5800349DFDB60DF9AD845BDEBBF8EB48324F20841AE519A7600C375A944CFA5
                                                                                                                                                                                                                  Function 069CE330 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 069CE388
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                  • Opcode ID: 227c4ac245949053cab5705428e3f315a792a81abb17d8d9c54ec34d00b4db77
                                                                                                                                                                                                                  • Instruction ID: c252a4977a6990eab5901ae9157e519ee865f448da618885e77c3dca7cd3be2a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 227c4ac245949053cab5705428e3f315a792a81abb17d8d9c54ec34d00b4db77
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C01145B5C003498FCB20DF9AC445BDEBBF4EB48320F20841AD959A7740C739A945CFA5
                                                                                                                                                                                                                  Function 00A5D1FC Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1359673408.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_a5d000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7254d1583dbf695acdb0ba8c80ee7d638ee29d84bd987b9ebc21684adb1c03b0
                                                                                                                                                                                                                  • Instruction ID: 92fb69b02de04bbbb0902ace69a8d30945edd353778a2701163aa563e9a5771a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7254d1583dbf695acdb0ba8c80ee7d638ee29d84bd987b9ebc21684adb1c03b0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F22103B2504300EFDB25DF50D9C4B6ABB65FB88315F20C5A9EC090B246C336D81ACBA2
                                                                                                                                                                                                                  Function 00A6D0DC Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1359739561.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_a6d000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 497f1a943eefa3a2cbcfff9e35cbf634ecd29ec72c07462f525e21d84f554e4f
                                                                                                                                                                                                                  • Instruction ID: 3872ac82fdd40388990810a5f8d3927ab3cff030f16ea7055bf6662c52d198c3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 497f1a943eefa3a2cbcfff9e35cbf634ecd29ec72c07462f525e21d84f554e4f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A821D0B5A04204AFDB04DF10D984B26BB75EB85354F24C669D9094B296C37AD846CA62
                                                                                                                                                                                                                  Function 00A5D1F7 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1359673408.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_a5d000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                                                                                                                                                                                  • Instruction ID: 83febd25d264ed912b13f7d0e81f657f0e281e494c1811c72e5ddbf7ec85e660
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E221DF76504240CFDB16CF00D9C4B5ABF72FB84314F24C1A9DC080B256C33AD82ACBA1

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 069CCF08 Relevance: .4, Instructions: 403COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4686eb7b7e12b23d24fa7370c40fbeff8db69ded53d5688ee8a8eb02c2a8ba7c
                                                                                                                                                                                                                  • Instruction ID: 12295ce16b8e87465be0ee611b9fff9f22c18448520e5049eacbd971f89df36c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4686eb7b7e12b23d24fa7370c40fbeff8db69ded53d5688ee8a8eb02c2a8ba7c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCE1A171B017008FDB59EB79C85076EBBEAAF89310F24446ED059CB695DF34E806CB52
                                                                                                                                                                                                                  Function 069C8470 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e4995f1df36ab348f13b1db1b8934974eed3f9439ff66c9c65a11e6834b6c302
                                                                                                                                                                                                                  • Instruction ID: deb57602102ad3440ed45ca3deb3c32559868e5eacbd2cc9fb646adbb57f25d9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4995f1df36ab348f13b1db1b8934974eed3f9439ff66c9c65a11e6834b6c302
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3E1F7B4E002598FDB14DFA9C680AAEFBF2BF89314F248169D414AB355D730AD42CF61
                                                                                                                                                                                                                  Function 069C6508 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ef1d41897ce4ec30855941cf86e96c32657204aaa790e45632fbbe6d76d81ed3
                                                                                                                                                                                                                  • Instruction ID: d5887390c0feb1b6e1477120dd84806a706be22e342abdec901a20edd501abc0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef1d41897ce4ec30855941cf86e96c32657204aaa790e45632fbbe6d76d81ed3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CE10774E002598FDB14DFA9C580AAEFBF2BF89314F248169D454AB356D730AD41CFA1
                                                                                                                                                                                                                  Function 069C6D78 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 02bef7da8d5ade00b6f8e8500e73e7d647566ac7c63f852f6af054fecb655fcb
                                                                                                                                                                                                                  • Instruction ID: 4aff2d1f621d152e40440117eaa24de449ea8eb148d7fce0ad07696972f0c8be
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02bef7da8d5ade00b6f8e8500e73e7d647566ac7c63f852f6af054fecb655fcb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EE1F674E002598FDB14DFA9C580AAEFBF2BF89314F248169D414AB356D731AD42CFA1
                                                                                                                                                                                                                  Function 069C88A8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4153e221055afc1e71ca92ed0544638e3461fbf58c93bf81eec87240a724865e
                                                                                                                                                                                                                  • Instruction ID: bcb08c2f29abd4f84fd195c32ffc3b3fe49590eb3890577d3cf24b5c04ebdac2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4153e221055afc1e71ca92ed0544638e3461fbf58c93bf81eec87240a724865e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADE1E874E002598FDB14DFA9C680AAEFBF2BF89314F248169D414AB355D731AD42CFA1
                                                                                                                                                                                                                  Function 069C6940 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b4cb547876838cd58884ac37e29c2a1dd3d153b10b9f88c6686e123d7524c975
                                                                                                                                                                                                                  • Instruction ID: b8aaf1ea167e13cb463dfcb081c67dcb764197ca3fbc97be7113ee2b3ca6bf62
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4cb547876838cd58884ac37e29c2a1dd3d153b10b9f88c6686e123d7524c975
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2E1E574E002698FDB14DFA9C580AAEBBF2FF89314F248169D414AB355D731AD42CF61
                                                                                                                                                                                                                  Function 0228DE8C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1360491057.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_2280000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ef3126c28b896666f2ad86ee337a5b709a706e0aad6d37f6092f4f15efdd45cf
                                                                                                                                                                                                                  • Instruction ID: 1c696e20ad1c22849301749a312a64edef113f8bcc8506ad047af840ffaa14b3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef3126c28b896666f2ad86ee337a5b709a706e0aad6d37f6092f4f15efdd45cf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFA18E72E213158FCF15EFB4D94059EB7B2FF88304B5585AAE805AB2A8DB31E915CF40
                                                                                                                                                                                                                  Function 069C845F Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a46e5e38e05a3c6eb3e03a2cc472bc8af33015452d2df837bcb9183280aeac55
                                                                                                                                                                                                                  • Instruction ID: 71e61add2ab1e8313a7f843e1002fc2c3027adc4d7aaed8636bcc9970199fdfa
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a46e5e38e05a3c6eb3e03a2cc472bc8af33015452d2df837bcb9183280aeac55
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4510AB4E002598FDB14CFA9C6805AEBBF2FF89314F24C169D419AB255D7309D42CF65
                                                                                                                                                                                                                  Function 069C6930 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1364288093.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_69c0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8f780dceadfe4a6369c808a043aa84114909d8a3e30648d0ccd98b02af3c48b1
                                                                                                                                                                                                                  • Instruction ID: d438e8e9ee43c89caff0a969f0504dcd6fc519e95d532984119438a32877e147
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f780dceadfe4a6369c808a043aa84114909d8a3e30648d0ccd98b02af3c48b1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7510674E002298FDB14CFA9C5805AEBBF6BF89314F24C169D418AB256D7319D42CF61

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:1.3%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                  Signature Coverage:6.5%
                                                                                                                                                                                                                  Total number of Nodes:555
                                                                                                                                                                                                                  Total number of Limit Nodes:68
                                                                                                                                                                                                                  execution_graph 99834 41f040 99837 41b940 99834->99837 99838 41b966 99837->99838 99845 409d40 99838->99845 99840 41b993 99841 41b972 99841->99840 99853 40c1c0 99841->99853 99843 41b985 99889 41a680 99843->99889 99893 409c90 99845->99893 99847 409d4d 99848 409d54 99847->99848 99905 409c30 99847->99905 99848->99841 99854 40c1e5 99853->99854 100322 40b1c0 99854->100322 99856 40c23c 100326 40ae40 99856->100326 99858 40c262 99888 40c4b3 99858->99888 100335 4143a0 99858->100335 99860 40c2a7 99860->99888 100338 408a60 99860->100338 99862 40c2eb 99862->99888 100345 41a4d0 99862->100345 99866 40c341 99867 40c348 99866->99867 100357 419fe0 99866->100357 99868 41bd90 2 API calls 99867->99868 99871 40c355 99868->99871 99871->99843 99872 40c3a2 99876 40f4a0 3 API calls 99872->99876 99873 40c392 99874 41bd90 2 API calls 99873->99874 99875 40c399 99874->99875 99875->99843 99877 40c416 99876->99877 99877->99867 99878 40c421 99877->99878 99879 41bd90 2 API calls 99878->99879 99880 40c445 99879->99880 100362 41a030 99880->100362 99883 419fe0 2 API calls 99884 40c480 99883->99884 99884->99888 100367 419df0 99884->100367 99887 41a680 2 API calls 99887->99888 99888->99843 99890 41a699 99889->99890 99891 41af30 LdrLoadDll 99890->99891 99892 41a69f ExitProcess 99891->99892 99892->99840 99894 409ca3 99893->99894 99944 418b90 LdrLoadDll 99893->99944 99924 418a40 99894->99924 99897 409cb6 99897->99847 99898 409cac 99898->99897 99927 41b280 99898->99927 99900 409cf3 99900->99897 99938 409ab0 99900->99938 99902 409d13 99945 409620 LdrLoadDll 99902->99945 99904 409d25 99904->99847 99906 409c4a 99905->99906 99907 41b570 LdrLoadDll 99905->99907 100297 41b570 99906->100297 99907->99906 99910 41b570 LdrLoadDll 99911 409c71 99910->99911 99912 40f180 99911->99912 99913 40f199 99912->99913 100305 40b040 99913->100305 99915 40f1ac 100309 41a1b0 99915->100309 99918 409d65 99918->99841 99920 40f1d2 99921 40f1fd 99920->99921 100315 41a230 99920->100315 99923 41a460 2 API calls 99921->99923 99923->99918 99946 41a5d0 99924->99946 99928 41b299 99927->99928 99959 414a50 99928->99959 99930 41b2b1 99931 41b2ba 99930->99931 99998 41b0c0 99930->99998 99931->99900 99933 41b2ce 99933->99931 100016 419ed0 99933->100016 99941 409aca 99938->99941 100275 407ea0 99938->100275 99940 409ad1 99940->99902 99941->99940 100288 408160 99941->100288 99944->99894 99945->99904 99948 418a55 99946->99948 99949 41af30 99946->99949 99948->99898 99950 41af40 99949->99950 99951 41af62 99949->99951 99953 414e50 99950->99953 99951->99948 99954 414e6a 99953->99954 99955 414e5e 99953->99955 99954->99951 99955->99954 99958 4152d0 LdrLoadDll 99955->99958 99957 414fbc 99957->99951 99958->99957 99960 414d85 99959->99960 99961 414a64 99959->99961 99960->99930 99961->99960 100024 419c20 99961->100024 99964 414b90 100027 41a330 99964->100027 99965 414b73 100084 41a430 LdrLoadDll 99965->100084 99968 414bb7 99970 41bd90 2 API calls 99968->99970 99969 414b7d 99969->99930 99972 414bc3 99970->99972 99971 414d49 99974 41a460 2 API calls 99971->99974 99972->99969 99972->99971 99973 414d5f 99972->99973 99978 414c52 99972->99978 100093 414790 LdrLoadDll NtReadFile NtClose 99973->100093 99976 414d50 99974->99976 99976->99930 99977 414d72 99977->99930 99979 414cb9 99978->99979 99981 414c61 99978->99981 99979->99971 99980 414ccc 99979->99980 100086 41a2b0 99980->100086 99983 414c66 99981->99983 99984 414c7a 99981->99984 100085 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99983->100085 99987 414c97 99984->99987 99988 414c7f 99984->99988 99987->99976 100042 414410 99987->100042 100030 4146f0 99988->100030 99990 414c70 99990->99930 99993 414d2c 100090 41a460 99993->100090 99994 414c8d 99994->99930 99995 414caf 99995->99930 99997 414d38 99997->99930 99999 41b0d1 99998->99999 100000 41b0e3 99999->100000 100111 41bd10 99999->100111 100000->99933 100002 41b104 100114 414070 100002->100114 100004 41b150 100004->99933 100005 41b127 100005->100004 100006 414070 3 API calls 100005->100006 100008 41b149 100006->100008 100008->100004 100146 415390 100008->100146 100009 41b1da 100010 41b1ea 100009->100010 100241 41aed0 LdrLoadDll 100009->100241 100156 41ad40 100010->100156 100013 41b218 100235 419e90 100013->100235 100017 41af30 LdrLoadDll 100016->100017 100018 419eec 100017->100018 100269 1642c0a 100018->100269 100019 419f07 100021 41bd90 100019->100021 100272 41a640 100021->100272 100023 41b329 100023->99900 100025 414b44 100024->100025 100026 41af30 LdrLoadDll 100024->100026 100025->99964 100025->99965 100025->99969 100026->100025 100028 41a34c NtCreateFile 100027->100028 100029 41af30 LdrLoadDll 100027->100029 100028->99968 100029->100028 100031 41470c 100030->100031 100032 41a2b0 LdrLoadDll 100031->100032 100033 41472d 100032->100033 100034 414734 100033->100034 100035 414748 100033->100035 100037 41a460 2 API calls 100034->100037 100036 41a460 2 API calls 100035->100036 100038 414751 100036->100038 100039 41473d 100037->100039 100094 41bfa0 LdrLoadDll RtlAllocateHeap 100038->100094 100039->99994 100041 41475c 100041->99994 100043 41445b 100042->100043 100044 41448e 100042->100044 100045 41a2b0 LdrLoadDll 100043->100045 100046 4145d9 100044->100046 100049 4144aa 100044->100049 100047 414476 100045->100047 100048 41a2b0 LdrLoadDll 100046->100048 100050 41a460 2 API calls 100047->100050 100054 4145f4 100048->100054 100051 41a2b0 LdrLoadDll 100049->100051 100052 41447f 100050->100052 100053 4144c5 100051->100053 100052->99995 100056 4144e1 100053->100056 100057 4144cc 100053->100057 100107 41a2f0 LdrLoadDll 100054->100107 100060 4144e6 100056->100060 100061 4144fc 100056->100061 100059 41a460 2 API calls 100057->100059 100058 41462e 100062 41a460 2 API calls 100058->100062 100063 4144d5 100059->100063 100064 41a460 2 API calls 100060->100064 100065 414501 100061->100065 100095 41bf60 100061->100095 100066 414639 100062->100066 100063->99995 100067 4144ef 100064->100067 100068 414513 100065->100068 100098 41a3e0 100065->100098 100066->99995 100067->99995 100068->99995 100071 414567 100072 41457e 100071->100072 100106 41a270 LdrLoadDll 100071->100106 100074 414585 100072->100074 100075 41459a 100072->100075 100077 41a460 2 API calls 100074->100077 100076 41a460 2 API calls 100075->100076 100078 4145a3 100076->100078 100077->100068 100079 4145cf 100078->100079 100101 41bb60 100078->100101 100079->99995 100081 4145ba 100082 41bd90 2 API calls 100081->100082 100083 4145c3 100082->100083 100083->99995 100084->99969 100085->99990 100087 414d14 100086->100087 100088 41af30 LdrLoadDll 100086->100088 100089 41a2f0 LdrLoadDll 100087->100089 100088->100087 100089->99993 100091 41af30 LdrLoadDll 100090->100091 100092 41a47c NtClose 100091->100092 100092->99997 100093->99977 100094->100041 100097 41bf78 100095->100097 100108 41a600 100095->100108 100097->100065 100099 41af30 LdrLoadDll 100098->100099 100100 41a3fc NtReadFile 100099->100100 100100->100071 100102 41bb84 100101->100102 100103 41bb6d 100101->100103 100102->100081 100103->100102 100104 41bf60 2 API calls 100103->100104 100105 41bb9b 100104->100105 100105->100081 100106->100072 100107->100058 100109 41af30 LdrLoadDll 100108->100109 100110 41a61c RtlAllocateHeap 100109->100110 100110->100097 100112 41bd3d 100111->100112 100242 41a510 100111->100242 100112->100002 100115 414081 100114->100115 100117 414089 100114->100117 100115->100005 100116 41435c 100116->100005 100117->100116 100245 41cf00 100117->100245 100119 4140dd 100120 41cf00 2 API calls 100119->100120 100124 4140e8 100120->100124 100121 414136 100123 41cf00 2 API calls 100121->100123 100127 41414a 100123->100127 100124->100121 100125 41d030 3 API calls 100124->100125 100256 41cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 100124->100256 100125->100124 100126 4141a7 100128 41cf00 2 API calls 100126->100128 100127->100126 100250 41d030 100127->100250 100129 4141bd 100128->100129 100131 4141fa 100129->100131 100133 41d030 3 API calls 100129->100133 100132 41cf00 2 API calls 100131->100132 100134 414205 100132->100134 100133->100129 100135 41d030 3 API calls 100134->100135 100141 41423f 100134->100141 100135->100134 100137 414334 100258 41cf60 LdrLoadDll RtlFreeHeap 100137->100258 100139 41433e 100259 41cf60 LdrLoadDll RtlFreeHeap 100139->100259 100257 41cf60 LdrLoadDll RtlFreeHeap 100141->100257 100142 414348 100260 41cf60 LdrLoadDll RtlFreeHeap 100142->100260 100144 414352 100261 41cf60 LdrLoadDll RtlFreeHeap 100144->100261 100147 4153a1 100146->100147 100148 414a50 8 API calls 100147->100148 100150 4153b7 100148->100150 100149 41540a 100149->100009 100150->100149 100151 4153f2 100150->100151 100152 415405 100150->100152 100153 41bd90 2 API calls 100151->100153 100154 41bd90 2 API calls 100152->100154 100155 4153f7 100153->100155 100154->100149 100155->100009 100262 41ac00 100156->100262 100159 41ac00 LdrLoadDll 100160 41ad5d 100159->100160 100161 41ac00 LdrLoadDll 100160->100161 100162 41ad66 100161->100162 100163 41ac00 LdrLoadDll 100162->100163 100164 41ad6f 100163->100164 100165 41ac00 LdrLoadDll 100164->100165 100166 41ad78 100165->100166 100167 41ac00 LdrLoadDll 100166->100167 100168 41ad81 100167->100168 100169 41ac00 LdrLoadDll 100168->100169 100170 41ad8d 100169->100170 100171 41ac00 LdrLoadDll 100170->100171 100172 41ad96 100171->100172 100173 41ac00 LdrLoadDll 100172->100173 100174 41ad9f 100173->100174 100175 41ac00 LdrLoadDll 100174->100175 100176 41ada8 100175->100176 100177 41ac00 LdrLoadDll 100176->100177 100178 41adb1 100177->100178 100179 41ac00 LdrLoadDll 100178->100179 100180 41adba 100179->100180 100181 41ac00 LdrLoadDll 100180->100181 100182 41adc6 100181->100182 100183 41ac00 LdrLoadDll 100182->100183 100184 41adcf 100183->100184 100185 41ac00 LdrLoadDll 100184->100185 100186 41add8 100185->100186 100187 41ac00 LdrLoadDll 100186->100187 100188 41ade1 100187->100188 100189 41ac00 LdrLoadDll 100188->100189 100190 41adea 100189->100190 100191 41ac00 LdrLoadDll 100190->100191 100192 41adf3 100191->100192 100193 41ac00 LdrLoadDll 100192->100193 100194 41adff 100193->100194 100195 41ac00 LdrLoadDll 100194->100195 100196 41ae08 100195->100196 100197 41ac00 LdrLoadDll 100196->100197 100198 41ae11 100197->100198 100199 41ac00 LdrLoadDll 100198->100199 100200 41ae1a 100199->100200 100201 41ac00 LdrLoadDll 100200->100201 100202 41ae23 100201->100202 100203 41ac00 LdrLoadDll 100202->100203 100204 41ae2c 100203->100204 100205 41ac00 LdrLoadDll 100204->100205 100206 41ae38 100205->100206 100207 41ac00 LdrLoadDll 100206->100207 100208 41ae41 100207->100208 100209 41ac00 LdrLoadDll 100208->100209 100210 41ae4a 100209->100210 100211 41ac00 LdrLoadDll 100210->100211 100212 41ae53 100211->100212 100213 41ac00 LdrLoadDll 100212->100213 100214 41ae5c 100213->100214 100215 41ac00 LdrLoadDll 100214->100215 100216 41ae65 100215->100216 100217 41ac00 LdrLoadDll 100216->100217 100218 41ae71 100217->100218 100219 41ac00 LdrLoadDll 100218->100219 100220 41ae7a 100219->100220 100221 41ac00 LdrLoadDll 100220->100221 100222 41ae83 100221->100222 100223 41ac00 LdrLoadDll 100222->100223 100224 41ae8c 100223->100224 100225 41ac00 LdrLoadDll 100224->100225 100226 41ae95 100225->100226 100227 41ac00 LdrLoadDll 100226->100227 100228 41ae9e 100227->100228 100229 41ac00 LdrLoadDll 100228->100229 100230 41aeaa 100229->100230 100231 41ac00 LdrLoadDll 100230->100231 100232 41aeb3 100231->100232 100233 41ac00 LdrLoadDll 100232->100233 100234 41aebc 100233->100234 100234->100013 100236 419e9c 100235->100236 100237 41af30 LdrLoadDll 100236->100237 100238 419eac 100237->100238 100268 1642df0 LdrInitializeThunk 100238->100268 100239 419ec3 100239->99933 100241->100010 100243 41a52c NtAllocateVirtualMemory 100242->100243 100244 41af30 LdrLoadDll 100242->100244 100243->100112 100244->100243 100246 41cf10 100245->100246 100247 41cf16 100245->100247 100246->100119 100248 41bf60 2 API calls 100247->100248 100249 41cf3c 100248->100249 100249->100119 100251 41cfa0 100250->100251 100252 41cffd 100251->100252 100253 41bf60 2 API calls 100251->100253 100252->100127 100254 41cfda 100253->100254 100255 41bd90 2 API calls 100254->100255 100255->100252 100256->100124 100257->100137 100258->100139 100259->100142 100260->100144 100261->100116 100263 41ac1b 100262->100263 100264 414e50 LdrLoadDll 100263->100264 100265 41ac3b 100264->100265 100266 414e50 LdrLoadDll 100265->100266 100267 41ace7 100265->100267 100266->100267 100267->100159 100268->100239 100270 1642c11 100269->100270 100271 1642c1f LdrInitializeThunk 100269->100271 100270->100019 100271->100019 100273 41af30 LdrLoadDll 100272->100273 100274 41a65c RtlFreeHeap 100273->100274 100274->100023 100276 407eb0 100275->100276 100277 407eab 100275->100277 100278 41bd10 2 API calls 100276->100278 100277->99941 100279 407ed5 100278->100279 100280 407f38 100279->100280 100281 419e90 2 API calls 100279->100281 100282 407f3e 100279->100282 100286 41bd10 2 API calls 100279->100286 100291 41a590 100279->100291 100280->99941 100281->100279 100284 407f64 100282->100284 100285 41a590 2 API calls 100282->100285 100284->99941 100287 407f55 100285->100287 100286->100279 100287->99941 100289 41a590 2 API calls 100288->100289 100290 40817e 100289->100290 100290->99902 100292 41af30 LdrLoadDll 100291->100292 100293 41a5ac 100292->100293 100296 1642c70 LdrInitializeThunk 100293->100296 100294 41a5c3 100294->100279 100296->100294 100298 41b593 100297->100298 100301 40acf0 100298->100301 100302 40ad14 100301->100302 100303 40ad50 LdrLoadDll 100302->100303 100304 409c5b 100302->100304 100303->100304 100304->99910 100306 40b063 100305->100306 100308 40b0e0 100306->100308 100320 419c60 LdrLoadDll 100306->100320 100308->99915 100310 41af30 LdrLoadDll 100309->100310 100311 40f1bb 100310->100311 100311->99918 100312 41a7a0 100311->100312 100313 41af30 LdrLoadDll 100312->100313 100314 41a7bf LookupPrivilegeValueW 100313->100314 100314->99920 100316 41a24c 100315->100316 100317 41af30 LdrLoadDll 100315->100317 100321 1642ea0 LdrInitializeThunk 100316->100321 100317->100316 100318 41a26b 100318->99921 100320->100308 100321->100318 100323 40b1f0 100322->100323 100324 40b040 LdrLoadDll 100323->100324 100325 40b204 100324->100325 100325->99856 100327 40ae51 100326->100327 100328 40ae4d 100326->100328 100329 40ae6a 100327->100329 100330 40ae9c 100327->100330 100328->99858 100372 419ca0 LdrLoadDll 100329->100372 100373 419ca0 LdrLoadDll 100330->100373 100332 40aead 100332->99858 100334 40ae8c 100334->99858 100336 40f4a0 3 API calls 100335->100336 100337 4143c6 100335->100337 100336->100337 100337->99860 100339 408a79 100338->100339 100374 4087a0 100338->100374 100341 4087a0 19 API calls 100339->100341 100344 408a9d 100339->100344 100342 408a8a 100341->100342 100342->100344 100392 40f710 10 API calls 100342->100392 100344->99862 100346 41af30 LdrLoadDll 100345->100346 100347 41a4ec 100346->100347 100511 1642e80 LdrInitializeThunk 100347->100511 100348 40c322 100350 40f4a0 100348->100350 100351 40f4bd 100350->100351 100512 419f90 100351->100512 100354 40f505 100354->99866 100355 419fe0 2 API calls 100356 40f52e 100355->100356 100356->99866 100358 41af30 LdrLoadDll 100357->100358 100359 419ffc 100358->100359 100518 1642d10 LdrInitializeThunk 100359->100518 100360 40c385 100360->99872 100360->99873 100363 41af30 LdrLoadDll 100362->100363 100364 41a04c 100363->100364 100519 1642d30 LdrInitializeThunk 100364->100519 100365 40c459 100365->99883 100368 41af30 LdrLoadDll 100367->100368 100369 419e0c 100368->100369 100520 1642fb0 LdrInitializeThunk 100369->100520 100370 40c4ac 100370->99887 100372->100334 100373->100332 100375 407ea0 4 API calls 100374->100375 100390 4087ba 100374->100390 100375->100390 100376 408a49 100376->100339 100377 408a3f 100378 408160 2 API calls 100377->100378 100378->100376 100381 419ed0 2 API calls 100381->100390 100383 41a460 LdrLoadDll NtClose 100383->100390 100386 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100386->100390 100389 419df0 2 API calls 100389->100390 100390->100376 100390->100377 100390->100381 100390->100383 100390->100386 100390->100389 100393 419ce0 100390->100393 100396 4085d0 100390->100396 100408 40f5f0 LdrLoadDll NtClose 100390->100408 100409 419d60 LdrLoadDll 100390->100409 100410 419d90 LdrLoadDll 100390->100410 100411 419e20 LdrLoadDll 100390->100411 100412 4083a0 100390->100412 100428 405f60 LdrLoadDll 100390->100428 100392->100344 100394 41af30 LdrLoadDll 100393->100394 100395 419cfc 100394->100395 100395->100390 100397 4085e6 100396->100397 100429 419850 100397->100429 100399 4085ff 100404 408771 100399->100404 100450 4081a0 100399->100450 100401 4086e5 100402 4083a0 11 API calls 100401->100402 100401->100404 100403 408713 100402->100403 100403->100404 100405 419ed0 2 API calls 100403->100405 100404->100390 100406 408748 100405->100406 100406->100404 100407 41a4d0 2 API calls 100406->100407 100407->100404 100408->100390 100409->100390 100410->100390 100411->100390 100413 4083c9 100412->100413 100490 408310 100413->100490 100416 41a4d0 2 API calls 100417 4083dc 100416->100417 100417->100416 100418 408467 100417->100418 100421 408462 100417->100421 100498 40f670 100417->100498 100418->100390 100419 41a460 2 API calls 100420 40849a 100419->100420 100420->100418 100422 419ce0 LdrLoadDll 100420->100422 100421->100419 100423 4084ff 100422->100423 100423->100418 100502 419d20 100423->100502 100425 408563 100425->100418 100426 414a50 8 API calls 100425->100426 100427 4085b8 100426->100427 100427->100390 100428->100390 100430 41bf60 2 API calls 100429->100430 100431 419867 100430->100431 100457 409310 100431->100457 100433 419882 100434 4198c0 100433->100434 100435 4198a9 100433->100435 100438 41bd10 2 API calls 100434->100438 100436 41bd90 2 API calls 100435->100436 100437 4198b6 100436->100437 100437->100399 100439 4198fa 100438->100439 100440 41bd10 2 API calls 100439->100440 100441 419913 100440->100441 100445 419bb4 100441->100445 100463 41bd50 100441->100463 100444 419ba0 100446 41bd90 2 API calls 100444->100446 100448 41bd90 2 API calls 100445->100448 100447 419baa 100446->100447 100447->100399 100449 419c09 100448->100449 100449->100399 100451 40829f 100450->100451 100452 4081b5 100450->100452 100451->100401 100452->100451 100453 414a50 8 API calls 100452->100453 100454 408222 100453->100454 100455 41bd90 2 API calls 100454->100455 100456 408249 100454->100456 100455->100456 100456->100401 100458 409330 100457->100458 100459 40acf0 LdrLoadDll 100458->100459 100460 409368 100459->100460 100462 40938d 100460->100462 100466 40cf20 100460->100466 100462->100433 100484 41a550 100463->100484 100467 40cf4c 100466->100467 100468 41a1b0 LdrLoadDll 100467->100468 100469 40cf65 100468->100469 100470 40cf6c 100469->100470 100477 41a1f0 100469->100477 100470->100462 100474 40cfa7 100475 41a460 2 API calls 100474->100475 100476 40cfca 100475->100476 100476->100462 100478 41af30 LdrLoadDll 100477->100478 100479 41a20c 100478->100479 100483 1642ca0 LdrInitializeThunk 100479->100483 100480 40cf8f 100480->100470 100482 41a7e0 LdrLoadDll 100480->100482 100482->100474 100483->100480 100485 41af30 LdrLoadDll 100484->100485 100486 41a56c 100485->100486 100489 1642f90 LdrInitializeThunk 100486->100489 100487 419b99 100487->100444 100487->100445 100489->100487 100491 408328 100490->100491 100492 40acf0 LdrLoadDll 100491->100492 100493 408343 100492->100493 100494 414e50 LdrLoadDll 100493->100494 100495 408353 100494->100495 100496 40835c PostThreadMessageW 100495->100496 100497 408370 100495->100497 100496->100497 100497->100417 100499 40f683 100498->100499 100505 419e60 100499->100505 100503 419d3c 100502->100503 100504 41af30 LdrLoadDll 100502->100504 100503->100425 100504->100503 100506 419e7c 100505->100506 100507 41af30 LdrLoadDll 100505->100507 100510 1642dd0 LdrInitializeThunk 100506->100510 100507->100506 100508 40f6ae 100508->100417 100510->100508 100511->100348 100513 419fac 100512->100513 100514 41af30 LdrLoadDll 100512->100514 100517 1642f30 LdrInitializeThunk 100513->100517 100514->100513 100515 40f4fe 100515->100354 100515->100355 100517->100515 100518->100360 100519->100365 100520->100370 100524 1642ad0 LdrInitializeThunk

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 0 41a3e0-41a429 call 41af30 NtReadFile
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                  • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                  Function 0041A42B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 3 41a42b-41a42c 4 41a40f-41a429 NtReadFile 3->4 5 41a42e-41a459 call 41af30 3->5
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                  • String ID: rMA
                                                                                                                                                                                                                  • API String ID: 2738559852-3963102562
                                                                                                                                                                                                                  • Opcode ID: eefa385cdc035d6214ed1af3197c7f6c6ce8ddd00fd7ce9961dd4d21677f0fca
                                                                                                                                                                                                                  • Instruction ID: 4a72f65135dff0943c034dce9f7a521d936b123ce235c6684c835ef53b1b2976
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eefa385cdc035d6214ed1af3197c7f6c6ce8ddd00fd7ce9961dd4d21677f0fca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21F03AB2211104BFCB14DF99EC85EEB77A9EF88754F10865DFA1C97241D630E912CBA0
                                                                                                                                                                                                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 245 40acf0-40ad19 call 41cc20 248 40ad1b-40ad1e 245->248 249 40ad1f-40ad2d call 41d040 245->249 252 40ad3d-40ad4e call 41b470 249->252 253 40ad2f-40ad3a call 41d2c0 249->253 258 40ad50-40ad64 LdrLoadDll 252->258 259 40ad67-40ad6a 252->259 253->252 258->259
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                  • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                                                  Function 0041A58A Relevance: 1.5, APIs: 1, Instructions: 47memorynativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 260 41a58a-41a58e 261 41a531-41a54d NtAllocateVirtualMemory 260->261 262 41a590-41a5c5 call 41af30 call 1642c70 260->262
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                                                  • Opcode ID: c5f6fb1e0bfb383fa1224dfe5f331fb5358eb8989a21e785471edc5b1f0c4334
                                                                                                                                                                                                                  • Instruction ID: 90a57139dd7708e204f27f23009e630778f3c044b36d05b209f217cef62831b2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5f6fb1e0bfb383fa1224dfe5f331fb5358eb8989a21e785471edc5b1f0c4334
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0F019B52102087BDB14DF99DC85DE777ACEFC8B60B008659F95987245C530E955CBB0
                                                                                                                                                                                                                  Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 267 41a330-41a346 268 41a34c-41a381 NtCreateFile 267->268 269 41a347 call 41af30 267->269 269->268
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                  • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                                                  Function 0041A32F Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 270 41a32f-41a381 call 41af30 NtCreateFile
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: b8f5d97729d0af093caa605df5704b06229f3ff7ebdc728ec66596b098601b97
                                                                                                                                                                                                                  • Instruction ID: 2164e17e25e8e1355f6dcd775fa713d45dc2a64c4de00c5ee8efd96071d436c3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8f5d97729d0af093caa605df5704b06229f3ff7ebdc728ec66596b098601b97
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF0B2B2211108ABCB18CF98DC85EEB77A9AF8C354F158248FA1D97281C630E851CBA4
                                                                                                                                                                                                                  Function 0041A50B Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 273 41a50b-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                                                  • Opcode ID: 21fd6f6c1b72b98785799ebd8cbe92fbf0bfc4a943d03354997e854443e2366a
                                                                                                                                                                                                                  • Instruction ID: 640078d5af61f34f214e7ad685c0d449a12bae75e3a2b50ab35f6b3e88f94ab9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21fd6f6c1b72b98785799ebd8cbe92fbf0bfc4a943d03354997e854443e2366a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39F0F8B1211208AFDB14DF89CC81EE777ADEF88754F158549FA1997241C630F811CBA4
                                                                                                                                                                                                                  Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 279 41a45a-41a45d 280 41a460-41a489 call 41af30 NtClose 279->280 281 41a44e-41a459 279->281
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                                                  • Opcode ID: fa908679587c4a8f47ee21d5d04f4b6086f945944532033f902fbcd6846cc997
                                                                                                                                                                                                                  • Instruction ID: 65d8e92ebc7239bf60d2f9915d181945ee3ec75fb8060920c803211abab1193c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa908679587c4a8f47ee21d5d04f4b6086f945944532033f902fbcd6846cc997
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CE0D8B11412147BD710EBD8DC45EE7776CEF44764F054556F90C97602C534F62186E1
                                                                                                                                                                                                                  Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                  • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                  Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                  • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                                                  Function 01642B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: e71f3bd34e9d344d70906d18e04ecd2556126e895394d5cf55d9e0924c9ff756
                                                                                                                                                                                                                  • Instruction ID: 30d0598d81e75c8e4538f1dab12608b8ce77f58131aea7960ff6f03fd0bb1bfd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e71f3bd34e9d344d70906d18e04ecd2556126e895394d5cf55d9e0924c9ff756
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8390027120240003424575594814617400E97E0201F55C021F90146D0EC52589916625
                                                                                                                                                                                                                  Function 01642BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: d4ec0bf2ed9000aa8a9133251d816ee50152824ffe6348c4221b29fadb284171
                                                                                                                                                                                                                  • Instruction ID: 0292a6dd0925549033a8abcf1d2195e189a936477685ef3e3711345a1463ec88
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ec0bf2ed9000aa8a9133251d816ee50152824ffe6348c4221b29fadb284171
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E90023120140802D2C07559480464B000997D1301F95C015B8025794ECA158B597BA1
                                                                                                                                                                                                                  Function 01642AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: dce62266af8c6164718f5c3ab1711a825ca257af3a3b83a5b07fa7cf807b89a5
                                                                                                                                                                                                                  • Instruction ID: 8e91a33976de8ba19311f21b5d5d704380f04003c2caf4d91b890975f5bfae72
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dce62266af8c6164718f5c3ab1711a825ca257af3a3b83a5b07fa7cf807b89a5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26900235211400030245B9590B04507004A97D5351755C021F9015690DD62189615621
                                                                                                                                                                                                                  Function 01642D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 49279637a2e34907826bccacdd4a9d34b909d60cb9a7bdda5d4e38fc52c49243
                                                                                                                                                                                                                  • Instruction ID: c42be23dafb45e6c4c412ae1322b7fcbf1da44ee22ad464ed78edc9e06be053d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49279637a2e34907826bccacdd4a9d34b909d60cb9a7bdda5d4e38fc52c49243
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B490023130140003D280755958186074009E7E1301F55D011F8414694DD91589565722
                                                                                                                                                                                                                  Function 01642D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 5981427f06f61f3c9b9769dba7dc5e329d17c2956f2989175a783f8ec13e5cfd
                                                                                                                                                                                                                  • Instruction ID: fda34ebba98630a01b5da328c29ae9996cf111582ee74ef1ba1b6d36218c4478
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5981427f06f61f3c9b9769dba7dc5e329d17c2956f2989175a783f8ec13e5cfd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E890023921340002D2C07559580860B000997D1202F95D415B8015698DC91589695721
                                                                                                                                                                                                                  Function 01642DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 4808933cc7e7922c4eef2aaf8758c5e573e4ced4ab875ff7b60cad5b7675e02e
                                                                                                                                                                                                                  • Instruction ID: 6537e3dfa64a0d0837a0b487a300dde139a80b4e5c8fe096b8524a4bd96e5523
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4808933cc7e7922c4eef2aaf8758c5e573e4ced4ab875ff7b60cad5b7675e02e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6390023120140413D25175594904707000D97D0241F95C412B8424698ED6568A52A621
                                                                                                                                                                                                                  Function 01642DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 75a78e69fba77a8a3f8e643d3be25a786ef7c486b7869f34014b019c6471012a
                                                                                                                                                                                                                  • Instruction ID: b3343f2fb9121464bfae32157810cade224886f90055eb475b481e81da56086b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75a78e69fba77a8a3f8e643d3be25a786ef7c486b7869f34014b019c6471012a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77900231242441525685B5594804507400AA7E0241B95C012B9414A90DC5269956DB21
                                                                                                                                                                                                                  Function 01642C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 9200b4b86b39f937dfa392f3b60c9cc1522a76d02bb8279217157c40c7f3696c
                                                                                                                                                                                                                  • Instruction ID: 5574b4499b181412aa33cebd08a48e23cad9c1d90c509ad2559c82ed1b68b363
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9200b4b86b39f937dfa392f3b60c9cc1522a76d02bb8279217157c40c7f3696c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC90023120148802D2507559880474B000997D0301F59C411BC424798EC69589917621
                                                                                                                                                                                                                  Function 01642CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 858507e6e08364ee937738e63b7834c596ce4673da69011edcdec3f7a4852d49
                                                                                                                                                                                                                  • Instruction ID: 04f217ef718b1df951b4fe6e24d97d1cb62c822fac8ded1bc416246962dbe5ad
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 858507e6e08364ee937738e63b7834c596ce4673da69011edcdec3f7a4852d49
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C90023120140402D24079995808647000997E0301F55D011BD024695FC66589916631
                                                                                                                                                                                                                  Function 01642F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: b615452d66880c2e7cee1e221310ee235ced5f10eee6cb5e18f0c92257c3c0f4
                                                                                                                                                                                                                  • Instruction ID: 3e585ab6f5d78e90f2cca660769a37dd9105639dbcb42d6df714bca6eefbd7b5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b615452d66880c2e7cee1e221310ee235ced5f10eee6cb5e18f0c92257c3c0f4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5790027134140442D24075594814B070009D7E1301F55C015F9064694EC619CD526626
                                                                                                                                                                                                                  Function 01642FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: d2004ee40d2ce0731112c74974d696306bd1f37c1aa26a402fdc0dd98fce47af
                                                                                                                                                                                                                  • Instruction ID: 0abaa69ec33ad606c75ab41740684f1b28ab1a6e581b3e1e629a0491c224fc30
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2004ee40d2ce0731112c74974d696306bd1f37c1aa26a402fdc0dd98fce47af
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 36900231211C0042D34079694C14B07000997D0303F55C115B8154694DC91589615A21
                                                                                                                                                                                                                  Function 01642FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: a4388d8a139836fb6b60c1a955e6bb3bd73ab5a2f610bc8c0bd1d3107075abf5
                                                                                                                                                                                                                  • Instruction ID: abeb0c3881ee803da6ac213d05dc1b3492eb7dd69a09ff53a8e054305107ab2d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4388d8a139836fb6b60c1a955e6bb3bd73ab5a2f610bc8c0bd1d3107075abf5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B690023160140042428075698C449074009BBE1211B55C121B8998690EC55989655B65
                                                                                                                                                                                                                  Function 01642F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 51438f96b29bbce5ebcb8e142f262d22c5288ea6c6ae797703f38a740b964c79
                                                                                                                                                                                                                  • Instruction ID: 99f530bfbd36659feb70407a151c44db2ae6ca08456fabb935ee37a6158aac16
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51438f96b29bbce5ebcb8e142f262d22c5288ea6c6ae797703f38a740b964c79
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A890023120180402D24075594C1470B000997D0302F55C011B9164695EC62589516A71
                                                                                                                                                                                                                  Function 01642EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: fc6413e03384574eca399e16b7c61e665a45b68868d01817fb8b439a77ee7250
                                                                                                                                                                                                                  • Instruction ID: fd4ca784d8830f23373483a664460ded45ac7fec41f6ab469ec486f2c8dc4662
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc6413e03384574eca399e16b7c61e665a45b68868d01817fb8b439a77ee7250
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4290027120140402D28075594804747000997D0301F55C011BD064694FC6598ED56B65
                                                                                                                                                                                                                  Function 01642E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: e438cddce7829e03d3b579d0c0ef16ed764c7f5f69b5c6a6975640ef608b43dc
                                                                                                                                                                                                                  • Instruction ID: 06a9fa5cbadb9d9c15753049313938e92dada2c79c1b553b15cc1c1d485e5a59
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e438cddce7829e03d3b579d0c0ef16ed764c7f5f69b5c6a6975640ef608b43dc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A90023160140502D24175594804617000E97D0241F95C022B9024695FCA258A92A631
                                                                                                                                                                                                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                  • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                  Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 9 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID: 6EA
                                                                                                                                                                                                                  • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                  • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                                                  Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 207 408308-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 216 40835c-40836e PostThreadMessageW 207->216 217 40838e-408392 207->217 218 408370-40838a call 40a480 216->218 219 40838d 216->219 218->219 219->217
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                  • Opcode ID: cfe52855a827d35d0d5336c19fb184040fc4d3a509dc8ac90f0b373084ba5a0e
                                                                                                                                                                                                                  • Instruction ID: b4b2be87e202b58de272a76c205ae5dc6b3e804f7876a418b382b825dda8ec22
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfe52855a827d35d0d5336c19fb184040fc4d3a509dc8ac90f0b373084ba5a0e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E901B9719803187AE721A6559D43FFE776C5B40B54F04011EFF04BA1C2D6A8690547F6
                                                                                                                                                                                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 222 408310-40831f 223 408328-40835a call 41c9d0 call 40acf0 call 414e50 222->223 224 408323 call 41be30 222->224 231 40835c-40836e PostThreadMessageW 223->231 232 40838e-408392 223->232 224->223 233 408370-40838a call 40a480 231->233 234 40838d 231->234 233->234 234->232
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                  • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                  • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                  Function 0041A6AD Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 237 41a6ad-41a6ae 238 41a6b0-41a708 call 41af30 237->238 239 41a699-41a6ac call 41af30 ExitProcess 237->239
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                                                  • Opcode ID: 85b43b67bf87dbac2df4711459cb1c8d5b69ab35c6d4b7d45eeb783d09aff500
                                                                                                                                                                                                                  • Instruction ID: 6fa2c5b59d87e0710b2a350ccd57d0c009afce95b0e0a0f0d70a678adf203ace
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85b43b67bf87dbac2df4711459cb1c8d5b69ab35c6d4b7d45eeb783d09aff500
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2501E2B2211208ABCB14DF99CC80EEB73ADAF8C754F158209FA0D97241C634E952CBA5
                                                                                                                                                                                                                  Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 276 41a632-41a656 277 41a65c-41a671 RtlFreeHeap 276->277 278 41a657 call 41af30 276->278 278->277
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                  • Opcode ID: 373f8251d89ca98696446d455f333e918d58cf5c499130096d807183355292f3
                                                                                                                                                                                                                  • Instruction ID: 57e44455d1777c7b74e3850199bdc517dfeb30e4411a439478b2329ead461943
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 373f8251d89ca98696446d455f333e918d58cf5c499130096d807183355292f3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58E0EDB66002006FE714CF68CC84ED73759EF48314F004659FE1997242C531E902CAA0
                                                                                                                                                                                                                  Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                  • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                                                  Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                  • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                  Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                  • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                                                  Function 01642C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: ce2a1df854de0a63a042e933f23457a8deb6eb0ee2f658b3d25f3037a35db8eb
                                                                                                                                                                                                                  • Instruction ID: 697f3023f1475e2e4d46fdac8ed7d50c72c5dd16fc5c3a1313d3d6689893306e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce2a1df854de0a63a042e933f23457a8deb6eb0ee2f658b3d25f3037a35db8eb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0B09B719015C5C6DB51E7645E087177D0477D0701F25C065F6030791F4778C1D1E675

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 01682349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-2160512332
                                                                                                                                                                                                                  • Opcode ID: 7d3bf59aadf090b5f292e6d7ad6788f148c88e1e7cb85be02ed075c85da62945
                                                                                                                                                                                                                  • Instruction ID: 458a2420ee267670e7d1eeab1e1fb05f65e3a95b04172ab42206e068d86b7507
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d3bf59aadf090b5f292e6d7ad6788f148c88e1e7cb85be02ed075c85da62945
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0929D71608342ABE721EF29CC90B6BBBE9BB84714F044A1DFA95D7350D770E844CB96
                                                                                                                                                                                                                  Function 01638620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • corrupted critical section, xrefs: 016754C2
                                                                                                                                                                                                                  • Critical section address, xrefs: 01675425, 016754BC, 01675534
                                                                                                                                                                                                                  • undeleted critical section in freed memory, xrefs: 0167542B
                                                                                                                                                                                                                  • Critical section address., xrefs: 01675502
                                                                                                                                                                                                                  • 8, xrefs: 016752E3
                                                                                                                                                                                                                  • double initialized or corrupted critical section, xrefs: 01675508
                                                                                                                                                                                                                  • Address of the debug info found in the active list., xrefs: 016754AE, 016754FA
                                                                                                                                                                                                                  • Thread identifier, xrefs: 0167553A
                                                                                                                                                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016754E2
                                                                                                                                                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0167540A, 01675496, 01675519
                                                                                                                                                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016754CE
                                                                                                                                                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01675543
                                                                                                                                                                                                                  • Critical section debug info address, xrefs: 0167541F, 0167552E
                                                                                                                                                                                                                  • Invalid debug info address of this critical section, xrefs: 016754B6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                  • API String ID: 0-2368682639
                                                                                                                                                                                                                  • Opcode ID: 591d7afa4bd6ab2e4e80c31f07b1b2cafb7fa8cad92bba2550cde4097c45df43
                                                                                                                                                                                                                  • Instruction ID: 1367281a47299c5d990f9782a6a4ff8c7ef1918d15108f3cfb75763ca77384f2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 591d7afa4bd6ab2e4e80c31f07b1b2cafb7fa8cad92bba2550cde4097c45df43
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF8198B1E00358ABEB24CF99CC45BAEBBF9FB48714F204159F505BB280D371A841CB60
                                                                                                                                                                                                                  Function 016329F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016724C0
                                                                                                                                                                                                                  • @, xrefs: 0167259B
                                                                                                                                                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01672624
                                                                                                                                                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01672506
                                                                                                                                                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016725EB
                                                                                                                                                                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01672409
                                                                                                                                                                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016722E4
                                                                                                                                                                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01672498
                                                                                                                                                                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0167261F
                                                                                                                                                                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01672412
                                                                                                                                                                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01672602
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                                                  • API String ID: 0-4009184096
                                                                                                                                                                                                                  • Opcode ID: 0a4776fc60ff177d4fe37f66915a87eb76463a3334a6021f61d3c7e7240b5f75
                                                                                                                                                                                                                  • Instruction ID: dbc07b4919b5b7301fc257aa211c4926c429aaa6305bed9eb03f4d143209ff5e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a4776fc60ff177d4fe37f66915a87eb76463a3334a6021f61d3c7e7240b5f75
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE025EF1D002299BDB71DB58CC90B9AB7B8AF54714F0041EEE609A7241EB709F85CF99
                                                                                                                                                                                                                  Function 016A8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                  • API String ID: 0-2515994595
                                                                                                                                                                                                                  • Opcode ID: f71b0e47f139d66154126ec87f55fdbbafdaa80fe97c3c8d24acc4db29d9bee9
                                                                                                                                                                                                                  • Instruction ID: aef959503a3331c140199ea227637d2b84084e88621828e20c2532a7f76d1f23
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f71b0e47f139d66154126ec87f55fdbbafdaa80fe97c3c8d24acc4db29d9bee9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77519B725043119BC339DF188C44BABBBECFF98245F94491DA99987241E770DA04CFA2
                                                                                                                                                                                                                  Function 016B0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                                                  • API String ID: 0-1700792311
                                                                                                                                                                                                                  • Opcode ID: e9f7e193c9a5a2081d45be213c483a4da0815d1dcb2ec2e2116db6df6dea7591
                                                                                                                                                                                                                  • Instruction ID: 379090f9ef6357f4f14555715e2d3761b2cd3fd03e0af18299414e21c00cddcb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9f7e193c9a5a2081d45be213c483a4da0815d1dcb2ec2e2116db6df6dea7591
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4D1A831610686EFDB26DF68CC80AEABFF2FF5A600F18805DE6459B752D7349981CB14
                                                                                                                                                                                                                  Function 016889B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01688A3D
                                                                                                                                                                                                                  • VerifierFlags, xrefs: 01688C50
                                                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01688A67
                                                                                                                                                                                                                  • VerifierDlls, xrefs: 01688CBD
                                                                                                                                                                                                                  • VerifierDebug, xrefs: 01688CA5
                                                                                                                                                                                                                  • AVRF: -*- final list of providers -*- , xrefs: 01688B8F
                                                                                                                                                                                                                  • HandleTraces, xrefs: 01688C8F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                  • API String ID: 0-3223716464
                                                                                                                                                                                                                  • Opcode ID: 113b8342fca58b2086487adaceacbd6d137b809a6481fbab110df7d21355290c
                                                                                                                                                                                                                  • Instruction ID: cb9059c710b6106be46a6e6747d3ffa3a4dec3b464957f86a8b525d50ce663da
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 113b8342fca58b2086487adaceacbd6d137b809a6481fbab110df7d21355290c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39913372645712AFD321FF688C80F2A7BE9BB94714F84465CFA42AB285C7309C01CB99
                                                                                                                                                                                                                  Function 016363FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-792281065
                                                                                                                                                                                                                  • Opcode ID: 4db1a9409d4a03e499f9eb0883c593c8eda22e070771cb436e406065573821d3
                                                                                                                                                                                                                  • Instruction ID: 42ab6a3518c9a51f3c553674516ea63c03235721ab9198a6f1df4f3b4e2f3ea2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4db1a9409d4a03e499f9eb0883c593c8eda22e070771cb436e406065573821d3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91915A71F01315ABDB35EF58EC48BAA7BA2FF40B24F14412CE9116B386DB709852C799
                                                                                                                                                                                                                  Function 015F645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrpInitShimEngine, xrefs: 016599F4, 01659A07, 01659A30
                                                                                                                                                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01659A2A
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01659A11, 01659A3A
                                                                                                                                                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016599ED
                                                                                                                                                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01659A01
                                                                                                                                                                                                                  • apphelp.dll, xrefs: 015F6496
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-204845295
                                                                                                                                                                                                                  • Opcode ID: 2f9bd696b83e07dca784de453a50d95cd3ab90e0deb450767a53a00809af0f09
                                                                                                                                                                                                                  • Instruction ID: f6a510e0ab8ed21a6ba6da946fb00510747c95bce06023362ec91e423867fd55
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f9bd696b83e07dca784de453a50d95cd3ab90e0deb450767a53a00809af0f09
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7351AB71208305DFE724EB24CC85BAB77E9FB84748F44091DEA859B264DB70E904CBA6
                                                                                                                                                                                                                  Function 01632674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0167219F
                                                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 01672165
                                                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01672180
                                                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016721BF
                                                                                                                                                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 01672160, 0167219A, 016721BA
                                                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01672178
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                  • API String ID: 0-861424205
                                                                                                                                                                                                                  • Opcode ID: 83115e4de02d664752520e34b93cee5c286af3d2fbc3161663a10f8a4e29a483
                                                                                                                                                                                                                  • Instruction ID: 8f722737920f769bacf6149ba9799ec966f152ba35792d2a51cb3059c7e4dbcb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83115e4de02d664752520e34b93cee5c286af3d2fbc3161663a10f8a4e29a483
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7314836F0021177E7229A999C65F6B7BB9FFA4A90F05409DFB04AB240D7709A01C3E0
                                                                                                                                                                                                                  Function 0163C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrpInitializeProcess, xrefs: 0163C6C4
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0163C6C3
                                                                                                                                                                                                                  • LdrpInitializeImportRedirection, xrefs: 01678177, 016781EB
                                                                                                                                                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 01678170
                                                                                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01678181, 016781F5
                                                                                                                                                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 016781E5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                  • API String ID: 0-475462383
                                                                                                                                                                                                                  • Opcode ID: 47ba0af1231031b6a11ebf841485f958fa113e6e73dfd0ffb07cabdfe529794a
                                                                                                                                                                                                                  • Instruction ID: 82e0ce233cc15f8ccf6c6968fbd6d619964581ac06391d493728995d79cd94ec
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47ba0af1231031b6a11ebf841485f958fa113e6e73dfd0ffb07cabdfe529794a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1031E2716447169BC324EB28DC4AE2A77E6FF95B14F04056DF941AB391EB20EC04CBA6
                                                                                                                                                                                                                  Function 0164096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 01642DF0: LdrInitializeThunk.NTDLL ref: 01642DFA
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01640BA3
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01640BB6
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01640D60
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01640D74
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1404860816-0
                                                                                                                                                                                                                  • Opcode ID: 9be8c71fe57021d07cfc8772891b964001f664b14b0babecb2b0e366ba28aef9
                                                                                                                                                                                                                  • Instruction ID: dc1fdbeb745d593d765f1692848ccca578e327d147dab4bbff8cb8f3741e78d0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9be8c71fe57021d07cfc8772891b964001f664b14b0babecb2b0e366ba28aef9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28425972900715DFDB21CF28CC80BEAB7F5BF44314F1445A9EA89AB241E770AA85CF61
                                                                                                                                                                                                                  Function 0160A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                                  • API String ID: 0-379654539
                                                                                                                                                                                                                  • Opcode ID: 1a24fd2be0a85bfb3f41c6b808625bcf0c4a8ae9d3188850ccd1aa7bb54f69c0
                                                                                                                                                                                                                  • Instruction ID: b802525e0e39663074fb6080da7d57d9c9cce753f5a2c109ab82db78941e1a59
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a24fd2be0a85bfb3f41c6b808625bcf0c4a8ae9d3188850ccd1aa7bb54f69c0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCC17B751083828FD71ACFA8C840B6BB7E4BF84784F04896DF9958B391E735C94ACB56
                                                                                                                                                                                                                  Function 01638402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0163855E
                                                                                                                                                                                                                  • LdrpInitializeProcess, xrefs: 01638422
                                                                                                                                                                                                                  • @, xrefs: 01638591
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01638421
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-1918872054
                                                                                                                                                                                                                  • Opcode ID: fabb08f53b5d9c70a71ad4fcbd5bad0f007bd8b361e566fa3ada834d02e6656e
                                                                                                                                                                                                                  • Instruction ID: a19cc03efca4562c2086121bb6f0e5ace700c56821b26c4942ba8d2a51bef562
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fabb08f53b5d9c70a71ad4fcbd5bad0f007bd8b361e566fa3ada834d02e6656e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E91BA71548745AFD722DF25CC80EABBBECBF84654F400A6EFA8587141E734D904CB66
                                                                                                                                                                                                                  Function 0163273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 016721DE
                                                                                                                                                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016721D9, 016722B1
                                                                                                                                                                                                                  • .Local, xrefs: 016328D8
                                                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016722B6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                  • API String ID: 0-1239276146
                                                                                                                                                                                                                  • Opcode ID: 18c750a9f0b1cea0bd032d1c2dd8e164b832b09109133f766921fde1abab1975
                                                                                                                                                                                                                  • Instruction ID: 26bedcbaec068611d5c316052395d7da357e786de3288a19565f57c4c641e2a0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18c750a9f0b1cea0bd032d1c2dd8e164b832b09109133f766921fde1abab1975
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41A1BE3190022ADBDB24CF69CCA4BA9B7B5BF98314F1541EDD908AB391D7309E81CF94
                                                                                                                                                                                                                  Function 01634AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01673437
                                                                                                                                                                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0167342A
                                                                                                                                                                                                                  • RtlDeactivateActivationContext, xrefs: 01673425, 01673432, 01673451
                                                                                                                                                                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01673456
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                                                  • API String ID: 0-1245972979
                                                                                                                                                                                                                  • Opcode ID: ef5493ed5de4b5028aa6ea4383074a64d7df7c38924d4a9416709dbc9d8fe3f7
                                                                                                                                                                                                                  • Instruction ID: 34c91ce8d9dc0086689a1f83ede9e4b6d20a9ab58dcdf5317bc4807e75ab2392
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef5493ed5de4b5028aa6ea4383074a64d7df7c38924d4a9416709dbc9d8fe3f7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C6110366417129BD72ACF1DCC81B2AF7E5BF80B60F18856DE8959B345DB30E802CB95
                                                                                                                                                                                                                  Function 016064AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0166106B
                                                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01661028
                                                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01660FE5
                                                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016610AE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                                  • API String ID: 0-1468400865
                                                                                                                                                                                                                  • Opcode ID: 7a9ff019c81f97819bc9ec0be2f28ec6ff83576e87e0c85835420aa9fcd1e908
                                                                                                                                                                                                                  • Instruction ID: 4b1dcd1858bf29527676aea398d26871a0a0ffd8fd7f0883f9ba24e768a58af6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a9ff019c81f97819bc9ec0be2f28ec6ff83576e87e0c85835420aa9fcd1e908
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A171ECB1904345AFCB22EF18CC84B9B7FA9AF94764F40046CF9488B286D735D588CBD2
                                                                                                                                                                                                                  Function 0162245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrpDynamicShimModule, xrefs: 0166A998
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0166A9A2
                                                                                                                                                                                                                  • apphelp.dll, xrefs: 01622462
                                                                                                                                                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0166A992
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-176724104
                                                                                                                                                                                                                  • Opcode ID: b9eda227d997163aa14ba383d7b72246cfc663bf24c83d306510895938f5c6a0
                                                                                                                                                                                                                  • Instruction ID: aee08f17e0dcd209c055a75ee7de4de1111dacae15c51f4cad14ef38ad688825
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9eda227d997163aa14ba383d7b72246cfc663bf24c83d306510895938f5c6a0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B314672A00202ABDB359F9DDC85A6A77B9FB80B00F26015EE9117B345C770A892CB90
                                                                                                                                                                                                                  Function 016129A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • HEAP: , xrefs: 01613264
                                                                                                                                                                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0161327D
                                                                                                                                                                                                                  • HEAP[%wZ]: , xrefs: 01613255
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                                                  • API String ID: 0-617086771
                                                                                                                                                                                                                  • Opcode ID: 6a413be5d683210ba05d85f03f2f6b55f295eb8bd9289122112e8df86c5f2012
                                                                                                                                                                                                                  • Instruction ID: 1573d24a5d610137ff8bacb585e4be4ad9185e47dfef72490194c075730ef628
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a413be5d683210ba05d85f03f2f6b55f295eb8bd9289122112e8df86c5f2012
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E92DE71A042499FDB25CF68C8507AEBBF1FF48314F28849DE84AAB359D734A946CF50
                                                                                                                                                                                                                  Function 01610770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                  • API String ID: 0-4253913091
                                                                                                                                                                                                                  • Opcode ID: f7c8461da41c5615d6b34d46e1cc0c5a2a95e96712bc2a074537ac1b171bc28b
                                                                                                                                                                                                                  • Instruction ID: 73b49cd777c334c19e5b6d5703c59b2120601742b624b53fa3d877c1beaf6ea7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7c8461da41c5615d6b34d46e1cc0c5a2a95e96712bc2a074537ac1b171bc28b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF1AC30A00606DFEB25CF68CC95B6AB7FAFF44704F1881A9E5169B395D730E981CB90
                                                                                                                                                                                                                  Function 01626962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID: $@
                                                                                                                                                                                                                  • API String ID: 2994545307-1077428164
                                                                                                                                                                                                                  • Opcode ID: 31a3a79a2f4a0f546b0fde8a8b134f9b5cb5cb3b1aecd9c497feb6a040f86a36
                                                                                                                                                                                                                  • Instruction ID: bbcf59647e8e51ce623cfb526e93688213c01b72dabeadc06a7ab3879e6a2a1d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31a3a79a2f4a0f546b0fde8a8b134f9b5cb5cb3b1aecd9c497feb6a040f86a36
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98C26C71A09B619FDB25CF28C881BABBBE5AF98714F04892DE9C987341D734D805CF52
                                                                                                                                                                                                                  Function 015FA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                  • API String ID: 0-2779062949
                                                                                                                                                                                                                  • Opcode ID: ee1a2f86868894d9f6b17d1ae0d5d0c6e4816428f98411fbe32b67b241771b4d
                                                                                                                                                                                                                  • Instruction ID: bfaf6eca126733b34a9214e8932561092040fafdae88e3f8870cdfae2fbde58d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee1a2f86868894d9f6b17d1ae0d5d0c6e4816428f98411fbe32b67b241771b4d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8A17D759016299BDB71DF28CC88BEABBB8FF44710F1001E9EA09A7250E7359E84CF54
                                                                                                                                                                                                                  Function 01620BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Failed to allocated memory for shimmed module list, xrefs: 0166A10F
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0166A121
                                                                                                                                                                                                                  • LdrpCheckModule, xrefs: 0166A117
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-161242083
                                                                                                                                                                                                                  • Opcode ID: b08d1bd9b200d7c7c36814db34e5a5a505a5398782e5e1ce51eb759e88da2f48
                                                                                                                                                                                                                  • Instruction ID: 5096be7a4d3fac95eaddc7bd46e982ca03122d56e540d66bbc715966b87ade20
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b08d1bd9b200d7c7c36814db34e5a5a505a5398782e5e1ce51eb759e88da2f48
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B671CFB1A00606DFDB29DFA8CD80AAEB7F9FB44304F14402DE902AB355E735AD42CB54
                                                                                                                                                                                                                  Function 01610A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                  • API String ID: 0-1334570610
                                                                                                                                                                                                                  • Opcode ID: 1cbdcbf4f2f6273334b065554a5a208cda397acfb1bf34a3d03eb591e1ce2090
                                                                                                                                                                                                                  • Instruction ID: fb9b1073666342a17021273878dc98c60587fc11e036a19f3363136d124d9789
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1cbdcbf4f2f6273334b065554a5a208cda397acfb1bf34a3d03eb591e1ce2090
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0619A71600306DFDB29CF28C981B6ABBE5FF44704F18855DE84A8B39AD771E881CB95
                                                                                                                                                                                                                  Function 0163C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016782E8
                                                                                                                                                                                                                  • Failed to reallocate the system dirs string !, xrefs: 016782D7
                                                                                                                                                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 016782DE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-1783798831
                                                                                                                                                                                                                  • Opcode ID: 632f85d1dfa1895c3a836b02b727f41b0b6fc69defc22a5a0015bb3f9e018a35
                                                                                                                                                                                                                  • Instruction ID: 98e0f6532af7341014e84bba138b0e1cd4690181e0360ac4c273c9f02b44ecf9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 632f85d1dfa1895c3a836b02b727f41b0b6fc69defc22a5a0015bb3f9e018a35
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C241FE71514311ABC721EB68DC48B6B77F9BF84750F04592EF948A7290EB70D8108B96
                                                                                                                                                                                                                  Function 016BC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • PreferredUILanguages, xrefs: 016BC212
                                                                                                                                                                                                                  • @, xrefs: 016BC1F1
                                                                                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016BC1C5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                                                  • API String ID: 0-2968386058
                                                                                                                                                                                                                  • Opcode ID: 186f03b9db911c53094c57e262a1b859857847ed347535e851db39eb44ed4a32
                                                                                                                                                                                                                  • Instruction ID: 78c8fb33a4fa149d0fb9669f23e71a73ba0216b26767438e3b57beff5a465d25
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 186f03b9db911c53094c57e262a1b859857847ed347535e851db39eb44ed4a32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3416371E0021AEBEF11DBD8CC91FEEBBB9AB54704F14806AE605F7240D7749B858B50
                                                                                                                                                                                                                  Function 01694144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                                                  • API String ID: 0-1373925480
                                                                                                                                                                                                                  • Opcode ID: 32bd6d40e9bffb8a26c31dd8f647b313fcb88fbc393ccf63859fa25f78e919df
                                                                                                                                                                                                                  • Instruction ID: 64062f06dfbe4f2ed542f82b5b0b27bfc12faf85b59dcc0dd952ecfb3195e480
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32bd6d40e9bffb8a26c31dd8f647b313fcb88fbc393ccf63859fa25f78e919df
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93412672A006488BEF26DBE9CE40BADBBB9FF55340F14049ED901EB391DB358902CB10
                                                                                                                                                                                                                  Function 01684755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrpCheckRedirection, xrefs: 0168488F
                                                                                                                                                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01684888
                                                                                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01684899
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                  • API String ID: 0-3154609507
                                                                                                                                                                                                                  • Opcode ID: 5faecb5054a5581d181315db135f060f260c3d10e27a38113922fcbd4f8e75c4
                                                                                                                                                                                                                  • Instruction ID: 5f3edeacf0af129d1785703877c573989105bb95d301010d726f2e5981ccb450
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5faecb5054a5581d181315db135f060f260c3d10e27a38113922fcbd4f8e75c4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF41C372A146529BCB31FE5CDC40B267BE9BF49690F06075DED45A7355EB30E800CB91
                                                                                                                                                                                                                  Function 01610BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                  • API String ID: 0-2558761708
                                                                                                                                                                                                                  • Opcode ID: a00f361a66433394f19eb0a8bc0777a81b41b5df5af1b86469c43027d94c8a5f
                                                                                                                                                                                                                  • Instruction ID: cb1177a3b614d71c52b6c6af0e9f211ab7b623a91e7b7136b2025782ebc35384
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a00f361a66433394f19eb0a8bc0777a81b41b5df5af1b86469c43027d94c8a5f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37119D31316142DFDB29CA19CC82B66B3A9FF4075AF18819DF406CB259DB34E881C795
                                                                                                                                                                                                                  Function 016820DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrpInitializationFailure, xrefs: 016820FA
                                                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01682104
                                                                                                                                                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 016820F3
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                  • API String ID: 0-2986994758
                                                                                                                                                                                                                  • Opcode ID: 6dd97b948d3bd65f662c10a3827ce0afd4b837b4bdd0e972baafbaccad33a1b1
                                                                                                                                                                                                                  • Instruction ID: 18c2c8fe662bdf828b1991e10b1da5f6149e4cc927483456f754cac65673cee2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6dd97b948d3bd65f662c10a3827ce0afd4b837b4bdd0e972baafbaccad33a1b1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58F0C275A40308ABE728E64CCC56FA937ADFB40B54F20005DFB406B785D7B0A954C795
                                                                                                                                                                                                                  Function 016103E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: #%u
                                                                                                                                                                                                                  • API String ID: 48624451-232158463
                                                                                                                                                                                                                  • Opcode ID: 9ed8b0e85285c7098d29110484baa2aabfcfe1905852705d9c78019b7998ed5f
                                                                                                                                                                                                                  • Instruction ID: 521fdd1dede410aeebd4fcb43310096115ec83d6fd327c189231e7161a80c506
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ed8b0e85285c7098d29110484baa2aabfcfe1905852705d9c78019b7998ed5f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE713872A0114A9FDB01DFA8CD90BAEB7F9BF18704F144069E905E7355EB34E941CBA4
                                                                                                                                                                                                                  Function 0160A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • LdrResSearchResource Exit, xrefs: 0160AA25
                                                                                                                                                                                                                  • LdrResSearchResource Enter, xrefs: 0160AA13
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                                                  • API String ID: 0-4066393604
                                                                                                                                                                                                                  • Opcode ID: fab285a77236be704fffa0d971425ef04b6d1a67ed03ccd5ecf8bcf0183f6af7
                                                                                                                                                                                                                  • Instruction ID: e8a1f9979b1ec3809636d55d12e06b282579f0936005f0b8c0866f10fd91fc1f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fab285a77236be704fffa0d971425ef04b6d1a67ed03ccd5ecf8bcf0183f6af7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FE16E71E00719ABEB26CEDDCD90BAEBBBABF44350F14442AE901E7391E7749941CB50
                                                                                                                                                                                                                  Function 016CA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: `$`
                                                                                                                                                                                                                  • API String ID: 0-197956300
                                                                                                                                                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                  • Instruction ID: b4b03ffb3749ae3782baab9d90b2be6f3393f14605fc0b9c58f122aac0293c08
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FC1BE3120434A9BE724CF69CC40B7ABBE6EFD4B18F088A2DF69687290E774D505CB55
                                                                                                                                                                                                                  Function 0167E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID: Legacy$UEFI
                                                                                                                                                                                                                  • API String ID: 2994545307-634100481
                                                                                                                                                                                                                  • Opcode ID: 2c9011b3e2b108532eec526ba2fe370c4018081904ee7e7242f1d2b99ebaba0d
                                                                                                                                                                                                                  • Instruction ID: 84453e0a43f39704e6984e23814ebae0f7591c28f18ff7153318cb797b767298
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c9011b3e2b108532eec526ba2fe370c4018081904ee7e7242f1d2b99ebaba0d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49616D71E007099FDB14DFA8CC40BAEBBB5FB48700F2540ADE649EB251D732A905CB54
                                                                                                                                                                                                                  Function 016A43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: @$MUI
                                                                                                                                                                                                                  • API String ID: 0-17815947
                                                                                                                                                                                                                  • Opcode ID: 429a882ea71e29cae5b919f6421ed080ac9600e11ef20210d67692ec6420abc0
                                                                                                                                                                                                                  • Instruction ID: f2099be42d3a9cf34a60b99a5aff225746b276d86a41f4b08cb7505d9b7b5df9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 429a882ea71e29cae5b919f6421ed080ac9600e11ef20210d67692ec6420abc0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D5148B1E0021DAFDB11DFA9CC90AEEBBB9EB04754F540529EA11B7290DB709D05CF60
                                                                                                                                                                                                                  Function 016004E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • kLsE, xrefs: 01600540
                                                                                                                                                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0160063D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                  • API String ID: 0-2547482624
                                                                                                                                                                                                                  • Opcode ID: f1eae559d1eec8b60744f0795313016f981d9a209bd01f5d3e0e8982669ce704
                                                                                                                                                                                                                  • Instruction ID: 09dd44203bd124cc47f2e94a7a08cbd1733fb9e3deb841f504e3da3c77180b89
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1eae559d1eec8b60744f0795313016f981d9a209bd01f5d3e0e8982669ce704
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E51BC715147428FD72AEF68CD407A7BBE9AF84340F10883EFA9A87381E7709545CB92
                                                                                                                                                                                                                  Function 0160A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0160A309
                                                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0160A2FB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                  • API String ID: 0-2876891731
                                                                                                                                                                                                                  • Opcode ID: e10b10282b943064b331388dbd9eadb62d50857de077333868afa9aec8071509
                                                                                                                                                                                                                  • Instruction ID: ee2691279164ae749877c223599b62eb30f1548102bc72f018db2d4d9ccbd2c9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e10b10282b943064b331388dbd9eadb62d50857de077333868afa9aec8071509
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841BC31A00745CBDB2ACFA9CC50BAA7BB9FF94344F1480A9E900DB3A1E7B5D901CB40
                                                                                                                                                                                                                  Function 0163A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                  • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                  • Opcode ID: 15c927c860b9bea3c27936254089fe280e34cd58209622372dae806b0ecec9da
                                                                                                                                                                                                                  • Instruction ID: d361ce581d6a2839cf7dcc28779eaab80dfaa4df36ede0a99d24430c33e631e1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15c927c860b9bea3c27936254089fe280e34cd58209622372dae806b0ecec9da
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2601D1B2250700AFD321DF58CD55B1677E8F785715F01893DB688CB190E374D804EB4A
                                                                                                                                                                                                                  Function 0160C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: MUI
                                                                                                                                                                                                                  • API String ID: 0-1339004836
                                                                                                                                                                                                                  • Opcode ID: e7f363ea3062533b858a8b1385e07d52f8f4db14a1b7a985b55f6bc582844553
                                                                                                                                                                                                                  • Instruction ID: 6e839ff557c847b5b52de3d91abb5dec95c2441fa3f74020426bb2255659fb6c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7f363ea3062533b858a8b1385e07d52f8f4db14a1b7a985b55f6bc582844553
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55823C75E002199BEB2ACFA9CC807EEBBB1FF45350F1482A9D919AB391D7309D41CB54
                                                                                                                                                                                                                  Function 01686420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                                                  • Opcode ID: 325872638ff3f6c52ea3f883fa865a98a7f2a92e12d11769e0be440e994a076a
                                                                                                                                                                                                                  • Instruction ID: 6dc2849091cbc098f89cbfecf8c5af8ce8277442e6128c1bf0d6976661d4d7d8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 325872638ff3f6c52ea3f883fa865a98a7f2a92e12d11769e0be440e994a076a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72918471900629AFDB21EF95CC85FAEBBB9EF18B50F140159F700AB290D774AD00CBA5
                                                                                                                                                                                                                  Function 016AE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                                                  • Opcode ID: fe0cf33a722423e7467a9f172325bcb2abe2eb786e5579e467671f33a7e8bd1b
                                                                                                                                                                                                                  • Instruction ID: c61428b57384d3df7c11ea0bce9406e95e08aec142b390c943f4815dda2f691c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe0cf33a722423e7467a9f172325bcb2abe2eb786e5579e467671f33a7e8bd1b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F491A031900619BFDB22ABA5DC44FAFBB7AEF85750F540029F501A7250DB769D02CF94
                                                                                                                                                                                                                  Function 0163A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: GlobalTags
                                                                                                                                                                                                                  • API String ID: 0-1106856819
                                                                                                                                                                                                                  • Opcode ID: cb33a2a7c614eb7e47872d2c449390ffcf750abfaf8be15c844694ee1564e49b
                                                                                                                                                                                                                  • Instruction ID: a38b50b8a237b90753cbb8156d700844d9bf194448beeb61913a33442884a294
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb33a2a7c614eb7e47872d2c449390ffcf750abfaf8be15c844694ee1564e49b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC716EB5E0061ACFEF28CF9DC9906ADBBB2BF48750F14812EE506A7341E7319941CB64
                                                                                                                                                                                                                  Function 016A4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .mui
                                                                                                                                                                                                                  • API String ID: 0-1199573805
                                                                                                                                                                                                                  • Opcode ID: 10550220028b1e02d75f6e3f30faa43c68069c41447817d7bd81dd011dfaccaa
                                                                                                                                                                                                                  • Instruction ID: 48abb5944931fbdb58af13a91cc4b97f3171c6321b354b40d8d0456734e5c9a3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10550220028b1e02d75f6e3f30faa43c68069c41447817d7bd81dd011dfaccaa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D519172D0022A9BDB15DF9DDC40AAEBBB5BF04610F49416DEA11BB344DBB49C01CFA4
                                                                                                                                                                                                                  Function 0161E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: EXT-
                                                                                                                                                                                                                  • API String ID: 0-1948896318
                                                                                                                                                                                                                  • Opcode ID: 78170bc89b381d955c47876fbf649aa57d08bf47ec8b9f783c587422c3a7d635
                                                                                                                                                                                                                  • Instruction ID: 2f24840608f0c795dd8bfcafb8af758384e5e5fca7d9b73dbf12f84ab885309b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78170bc89b381d955c47876fbf649aa57d08bf47ec8b9f783c587422c3a7d635
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1341A3725083129BE722DB79CC40B6BBBE9AF88714F48092DFA84D7244E775D904C797
                                                                                                                                                                                                                  Function 0167C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: BinaryHash
                                                                                                                                                                                                                  • API String ID: 0-2202222882
                                                                                                                                                                                                                  • Opcode ID: 2869cee61b6fd09826e8eb210137a41b494aefe59660bea294d72a8561ff048f
                                                                                                                                                                                                                  • Instruction ID: 7a9b05d168cc62e836a0ff021123b02d99074d4cde8c7d077e49e4a6862633b3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2869cee61b6fd09826e8eb210137a41b494aefe59660bea294d72a8561ff048f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A74147B1D0052EABDB21DA60DC84FDEB77DAB45714F0145E9EB08AB140DB709E89CF98
                                                                                                                                                                                                                  Function 01696B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                                                                                  • Opcode ID: c86b9c4acc002722f990eacca11025404901eb0b8a23893bbcab10b75dd805fa
                                                                                                                                                                                                                  • Instruction ID: 95ad3f67631419855a580f92b5a14cd96e774707e5b0d6c5b2e5f14d2513246e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c86b9c4acc002722f990eacca11025404901eb0b8a23893bbcab10b75dd805fa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9631E331A00799DBEF22DB69CC50BAEBBADDF45704F14406CF941AB382DB65E805CB94
                                                                                                                                                                                                                  Function 0167CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: BinaryName
                                                                                                                                                                                                                  • API String ID: 0-215506332
                                                                                                                                                                                                                  • Opcode ID: c05f742cd983c5372fb91e610f478dd1733988dc38b8c1d4dc5f7f0a074ace56
                                                                                                                                                                                                                  • Instruction ID: 67e0c8d8b4a578dcc4faf300ae3ce576a225405ccc8453771a9a0d2936a5e9ec
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c05f742cd983c5372fb91e610f478dd1733988dc38b8c1d4dc5f7f0a074ace56
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E031E13690051AAFEB16DA59CC55E7FBBB4EB80B20F114169F905A7250D7309E04DBE0
                                                                                                                                                                                                                  Function 0168892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0168895E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                  • API String ID: 0-702105204
                                                                                                                                                                                                                  • Opcode ID: 0ce6d16ad7a5022cb57f6998075afce2842e9bdeec6dc8b94c4cf7fb5d89e5c1
                                                                                                                                                                                                                  • Instruction ID: 4e642fa2c6957514bfd485e266d370b7653a81b45d701317f8aef01336dfa8ac
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ce6d16ad7a5022cb57f6998075afce2842e9bdeec6dc8b94c4cf7fb5d89e5c1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F01F2366102019FEB35BB5DCC84A6A7F6EFF81394B44172CF74227652CB20AC41C796
                                                                                                                                                                                                                  Function 016A2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2dcd581305a50c993f4919ecb6f4feb0249838da8000c07c16bcf4a164e19a36
                                                                                                                                                                                                                  • Instruction ID: 42528c97ac11893972d91eff84a96a947768c68196dc484e43e18946f7d59979
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dcd581305a50c993f4919ecb6f4feb0249838da8000c07c16bcf4a164e19a36
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C04290316483419BD725CF68CCA0A6BBBE6AB88700F89492DFA8297350D771DD45CF52
                                                                                                                                                                                                                  Function 01698158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6b22e24cb44b9a08fcdd11b2880b8b78c7915bb354c1c188503799c7aab83e8b
                                                                                                                                                                                                                  • Instruction ID: 23d6dda543c73f86b9708f909b31e3ee14c9f7d80ae65819847beb21e2eb93d7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b22e24cb44b9a08fcdd11b2880b8b78c7915bb354c1c188503799c7aab83e8b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56423C75A002298FEF24CF69CC41BADBBFABF49310F158199E949EB242D7349985CF50
                                                                                                                                                                                                                  Function 01612840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bb29cf86c05cf09cbad102b0f6b48806dbdde9b4bba8dad5d9118595d6f68c4f
                                                                                                                                                                                                                  • Instruction ID: 6130326194d2001bc028a1b2359ff1324427154dd39e1e7850c120c2d8fcff76
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb29cf86c05cf09cbad102b0f6b48806dbdde9b4bba8dad5d9118595d6f68c4f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C032CA70A007568FEB25CF69DC547BABBFABF84304F24811DD8869B785D735A842CB90
                                                                                                                                                                                                                  Function 016AA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0f50bcf654e35730a42ca77d6115d60337414a889089b953a0ffc0a624a0ae1d
                                                                                                                                                                                                                  • Instruction ID: c4511e098e5240e9318f4cf89cab0f26f17dda640d4140f84a2abae82cf42526
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f50bcf654e35730a42ca77d6115d60337414a889089b953a0ffc0a624a0ae1d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A922AF742046618BEB25CFADC854376BBF1AF45300F88859BE9868B386D735EC52CF64
                                                                                                                                                                                                                  Function 01606A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 04743b11c47a3120810ff23c1ae999644af99117a7fd80a16fb2231912bba88f
                                                                                                                                                                                                                  • Instruction ID: 71aaa15856c0dac5ec8acb3343752f213eef77dbb4b8e2489fb44a35df8620b3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04743b11c47a3120810ff23c1ae999644af99117a7fd80a16fb2231912bba88f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB32BF71A05615CFDB2ACF68C880BAAB7F6FF88300F148569E956AB391D734EC51CB50
                                                                                                                                                                                                                  Function 01624A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                  • Instruction ID: 05c394a19998e26172cb32bf0a3fdd433cea8a73274b98609610e3849e156cd3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F14E71F0062A9BDB15CF99C990BAEBBFAAF48710F058569E905EB340EB74D841CF50
                                                                                                                                                                                                                  Function 0169892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e42cbe2c3bb662d069ea6daead93dee37620edff9ff399371b8f9b6c25c74ada
                                                                                                                                                                                                                  • Instruction ID: e723abab4cd44803a62d711fd58b23c31a9ceaced136f339199fdca53f95281b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e42cbe2c3bb662d069ea6daead93dee37620edff9ff399371b8f9b6c25c74ada
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1D10371A0060E8BDF05CF68CC41ABEB7FEAF89314F188169D955E7241D739E906CB60
                                                                                                                                                                                                                  Function 016065D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a9663a3bc5dbc31e1369420063b35b5dca2c9f17ea3038ed151dce99de537816
                                                                                                                                                                                                                  • Instruction ID: 9c885ab94cfe5a16b4a68454492b455c1935bdd2e71752df8cf841180ce0f2a4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9663a3bc5dbc31e1369420063b35b5dca2c9f17ea3038ed151dce99de537816
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76E19071508342CFC71ACF28C890A6BBBE1FF89314F15896DE59587391DB31E915CB92
                                                                                                                                                                                                                  Function 015F8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d1f8ada11683043cdfc298a1b7268cadbd08a022d971e2a1ebaed925b10afaf1
                                                                                                                                                                                                                  • Instruction ID: 2ddbd49fc4529985bd196d2868a99566072cd1b54d6a33620f4109f34ec82b3f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1f8ada11683043cdfc298a1b7268cadbd08a022d971e2a1ebaed925b10afaf1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9D1B171A0061A9BDB14DF68CC90BBE77E6BF54308F044A2DEA16DF280E734E955CB60
                                                                                                                                                                                                                  Function 01688243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                  • Instruction ID: 17de5c6577116a42fadbe02abbe3dc41831c56eca4111c131c8779f98ff0090c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58B1B475A006099FDB24EF98CD50EABBBBEFF84304F90855DAA4297791DB30E905CB50
                                                                                                                                                                                                                  Function 01610535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                  • Instruction ID: 79431ba4655865276332d15680d976028b6da82b6cf014491ac46f8a4490f078
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68B1D471604646AFDF15DB68CD50BBEBBFAAF84300F180599E652DB385DB30E981CB90
                                                                                                                                                                                                                  Function 016083C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 679feca42e10a6ca3464989ce43d92a5d98f9974ffdcf09d1a4b8a3ca6455c32
                                                                                                                                                                                                                  • Instruction ID: a6384300a160f86a0f007a0f94069bb60e2e9658bade915cb56ea83f224188aa
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 679feca42e10a6ca3464989ce43d92a5d98f9974ffdcf09d1a4b8a3ca6455c32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFC157706083818FE765CF19C884BABB7E9BF88304F44492DE98987391D775E909CF92
                                                                                                                                                                                                                  Function 015FC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a4d49b45fa978840e5424a7b4bf7ae3e7eaef78a489711fba5f3dbea8e1fcf71
                                                                                                                                                                                                                  • Instruction ID: 1891211e34df81745c60dd75a6eb2d73764fe70f9edd281bcb84769068cdc2c8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4d49b45fa978840e5424a7b4bf7ae3e7eaef78a489711fba5f3dbea8e1fcf71
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07B15170A0026A8BDB64DF58C890BA9B7F2BF44704F0485EDD64AEB241DB709D85CB24
                                                                                                                                                                                                                  Function 0162E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 74df0876a36d84ecbc2e772d3c204630def062b6d568c3d296de1a145e977922
                                                                                                                                                                                                                  • Instruction ID: 0c218a9cff21985b45d956ccaf209002b7f813e112db7803cc2e48b81a91d05d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74df0876a36d84ecbc2e772d3c204630def062b6d568c3d296de1a145e977922
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAA13631E00A259FEB31DB68DC54BAEBBB9BB00714F0501A9EE01AB3C0D7749D41CB91
                                                                                                                                                                                                                  Function 01640185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2af080f1f4605e11cb783f7d50987a432a10d85a8e3c0b98198d20cbc201087d
                                                                                                                                                                                                                  • Instruction ID: 2b845f58f8b3c0c7d5e139cfb282cfc012660ab495c3974725e4a24a779e178f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2af080f1f4605e11cb783f7d50987a432a10d85a8e3c0b98198d20cbc201087d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACA19071B01626DBEB25DF69CD90BAAB7B2FF54314F00412DEA059B381DB34A812CB90
                                                                                                                                                                                                                  Function 016D4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 35aeb3e90ed72e1488081dcfd0d511e3fcd3f451ed17e0ede724d64aaff31234
                                                                                                                                                                                                                  • Instruction ID: 7104d9368d5656735bd8cdceedadd890e8bba901eedb20d08839edcb580de28b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35aeb3e90ed72e1488081dcfd0d511e3fcd3f451ed17e0ede724d64aaff31234
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18A1CC72A04652AFC721DF18CD80B6ABBEAFF48744F46052CE5869BB51DB34EC01CB95
                                                                                                                                                                                                                  Function 016D2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                  • Instruction ID: ce3fe4a8468eb1674e46a3f253f4b8cd05346ac126802f6f569b3d454ea97d02
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AB13771E0061ADFDF29CFA9C890AADBBB5FF88310F14816DE915A7354D730A941CB94
                                                                                                                                                                                                                  Function 016860E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e66cc4199101f8af87a45b8b513b2c480594dcab271d1a11bfc403393d1b4eca
                                                                                                                                                                                                                  • Instruction ID: 8fc69d2d1c50d4467347a4e0677fdcd6670308c30e69262de78ec5545fdf4c42
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e66cc4199101f8af87a45b8b513b2c480594dcab271d1a11bfc403393d1b4eca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B919171D00216AFDF15DFA8DC94BAEBFB5AF49710F1542A9E610EB341D734E9008BA4
                                                                                                                                                                                                                  Function 0161E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 292132d7b89bfb230edee31b1416467bb7ebf10fb2d09b697c5977d00b39fb13
                                                                                                                                                                                                                  • Instruction ID: de19dd6eaf6317b13b2a31dc6aa253c640c28e6070d9778792f196e373743d5e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 292132d7b89bfb230edee31b1416467bb7ebf10fb2d09b697c5977d00b39fb13
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D912431A00616CFEB26DB68CC80B7DBBA6EF94714F0D8169ED069B348E736D942C751
                                                                                                                                                                                                                  Function 01656ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5a01a956d3952303d8436832aba865761c4ebfc0268cd79838832e50d9c8326a
                                                                                                                                                                                                                  • Instruction ID: a9c054b7cae0f82929988d82bed113b57fecbf706407b9470aca5356a8528d47
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a01a956d3952303d8436832aba865761c4ebfc0268cd79838832e50d9c8326a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9681A171A0061A9BDB68CF69CC40ABEBBF9FB48700F44852EE855E7740E734D951CBA4
                                                                                                                                                                                                                  Function 016CAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                  • Instruction ID: 8db67136fcabd9c447329345378d202af841e233240096f2fac95490b2b03a78
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC816172A002099BDF19CF98C890ABEBBB6EF84710F14856DD9169B345E734E901CB54
                                                                                                                                                                                                                  Function 0163E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0a290ab2cc6c19eb7898395590290ce619a5f35bc0053c10d0acec6c724db92b
                                                                                                                                                                                                                  • Instruction ID: 783144c20452fdbe08dea958d6120fe43026500715df568ba29b4e6039bb28c6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a290ab2cc6c19eb7898395590290ce619a5f35bc0053c10d0acec6c724db92b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB811D71A00609AFDB26CFA9CC80AEEBBFAFF88354F14442DE555A7250D771AC45CB60
                                                                                                                                                                                                                  Function 0161C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: f19e0ea791837683341a6a63ab67ec463c96cdc88923a19b09e996f9c28441b4
                                                                                                                                                                                                                  • Instruction ID: 1877da76d3a20a732be1ca78b9d2dbb02e617b83a622610b6d21ca6a05a964a8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f19e0ea791837683341a6a63ab67ec463c96cdc88923a19b09e996f9c28441b4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB71CC75C00669DBCB258F68DC907BEBBB9FF58710F18411AE942AB354D7709801CBA0
                                                                                                                                                                                                                  Function 016B47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: b5e94cae9a844eac6d1bd87abda624a223c0f8855da4cbea3d5a1db6a0add679
                                                                                                                                                                                                                  • Instruction ID: 1ff2c677a4bfb735d7505246f3965e79468358db39aaef93d8328d8a09123301
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5e94cae9a844eac6d1bd87abda624a223c0f8855da4cbea3d5a1db6a0add679
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73716071901205EFDB20DF69DD84ADABBF9FF90300B10515EEB16A739ACB319980CB58
                                                                                                                                                                                                                  Function 0161260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 523029b063ad6dbdc76e4e7d3da60e60631838792eea4666f557e8853ace0e59
                                                                                                                                                                                                                  • Instruction ID: 1caa18873ec8be5b3ece4baabc00555ce77b39145b9cf6833fe53f97ff5d56ce
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 523029b063ad6dbdc76e4e7d3da60e60631838792eea4666f557e8853ace0e59
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0571C2316042528FD316DF2CC890B6AB7E5FF84310F1885ADE895CB39ADB34D846CB95
                                                                                                                                                                                                                  Function 0168035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                  • Instruction ID: b0f334daf5d5dce9c436946ce433cb35dccd612fb2bdc9f258a2a6fc7354bfff
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84717D71A00619EFCB10EFA9CD84E9EBBBAFF48710F144569E505A7250DB30EA05CBA4
                                                                                                                                                                                                                  Function 016962A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 460361fdac0d263ef59c6e3373382297eb54d095daddfa1d95aa8331a304e873
                                                                                                                                                                                                                  • Instruction ID: 1775347ffe1069834e48d3fc5417997e871cca806d49332d196c654262d5e9a2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 460361fdac0d263ef59c6e3373382297eb54d095daddfa1d95aa8331a304e873
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB71E432200B01AFEF329F58CC54F56BBAAEF40B64F15842CE656872A1D775E944CB54
                                                                                                                                                                                                                  Function 01608AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8aa52233c3cba5cf6076d5a4082bc0f08d040903f88f90b62f5861bb74f90c5e
                                                                                                                                                                                                                  • Instruction ID: d24e465ce0e51e588ccce596e5b0a882beb7f0e6b4fa2d60113f2b6cb7b00a19
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aa52233c3cba5cf6076d5a4082bc0f08d040903f88f90b62f5861bb74f90c5e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D581BE72A057068FDB29CF9CCC94B6EB7B9BB88310F15512DD904AB781CB749D41CB94
                                                                                                                                                                                                                  Function 016D8324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 54ca055ae0bb2ac539c6d41e095f8df41662f882b1c740e78daeda21c3f16424
                                                                                                                                                                                                                  • Instruction ID: 9855e511542facb1157e4281d7a57f8b764b3fa3fdc9c725b66663fd2799d980
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54ca055ae0bb2ac539c6d41e095f8df41662f882b1c740e78daeda21c3f16424
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F711971E0020AAFDF16DF94CC85FEEBBB9FB04350F104269E615A7290E774AA05CB94
                                                                                                                                                                                                                  Function 016BA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 34f122b21c450f53e05a3666b3c137981b96052cf1c25e273fdf00491071cc04
                                                                                                                                                                                                                  • Instruction ID: 50a39c017796d8bc0df3f048c5ad5b343cd7b42cc70d277372f43942ce6c9c1e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34f122b21c450f53e05a3666b3c137981b96052cf1c25e273fdf00491071cc04
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE51BD72505712AFD721DEA8CC84A9BBBE9EBC5710F01092DFA40DB250DB74ED45C7A2
                                                                                                                                                                                                                  Function 016A8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: cad672f1bbe1d8f4eba5fa71e5dd5743ba60d1f60819d5693c01e02e8ef5e705
                                                                                                                                                                                                                  • Instruction ID: 13311226e555d5f1cf7d21441862440690c860966d2e0273521c7ba8f7ba1982
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cad672f1bbe1d8f4eba5fa71e5dd5743ba60d1f60819d5693c01e02e8ef5e705
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD519A709007059BD721DFAACC80AABFBF9FF94710F50461EE292976A1C7B0A945CF90
                                                                                                                                                                                                                  Function 0163E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: be0f51cdde830bfec58acb1741693cbd409fd8672b4f71a612e64fc07f1894a6
                                                                                                                                                                                                                  • Instruction ID: 1475af43e10c26ee200eb2597d0162d35649098f305aa44be849972bfa6157a1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be0f51cdde830bfec58acb1741693cbd409fd8672b4f71a612e64fc07f1894a6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86516771200A05DFCB22EFA9CD80E6AB3FAFB58764F40042EE50287761E731A951CB60
                                                                                                                                                                                                                  Function 016A4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e856f7fbc5bc5e55d508a4bab8c99a8228ab77dfe8ff5cb50b5691ca308e4e42
                                                                                                                                                                                                                  • Instruction ID: 1d24a0b23c878380ed59913f8bc94489e8059141bf12be02882aab3b3c674cca
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e856f7fbc5bc5e55d508a4bab8c99a8228ab77dfe8ff5cb50b5691ca308e4e42
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE5134716083429FD754DF2ACC80A6BBBE6BBC8204F88492DF589C7250EB70DD058F96
                                                                                                                                                                                                                  Function 016245B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                  • Instruction ID: b1606c99f75c4030ed9836bd7b4af01e489d884fae4f61cad3d88d8f301c19e9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22517971E0062AABDB15DB98C840BFEBBB9AF45354F144069EA11EB340DB74DD44CFA4
                                                                                                                                                                                                                  Function 0168E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                  • Instruction ID: 97bdcec7f83d76bc27ffb0987e9fa91f22f2088f1b22404f1900bcd892ab8683
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E51C771D0021AEFEF21BF94CD90BAEBB75AF00724F154769E91267290D7329E41CBA4
                                                                                                                                                                                                                  Function 016C8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c5b05322252dc37b31f81c76f724e2b72fcc06326e63a29f508d9c9aba497557
                                                                                                                                                                                                                  • Instruction ID: 143bd6ac9dfadbd279509eea676b8754d1ad6841ec61b477b272a8285c5d41b0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5b05322252dc37b31f81c76f724e2b72fcc06326e63a29f508d9c9aba497557
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0441C0717016129BEB39DB2DCC94B7BBB9EEF90A20F08822DE95587381DB34D801C795
                                                                                                                                                                                                                  Function 0168CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 72b5811d73f8dbe1f66c302c48d4d71e548714d970d8fdd9f82d81076206a905
                                                                                                                                                                                                                  • Instruction ID: 78f37b81517a642825a5b4eca74750ef23f1f0b399bf7eecfaf8fce2e209caf6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72b5811d73f8dbe1f66c302c48d4d71e548714d970d8fdd9f82d81076206a905
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0519E76900216DFCB20EFA9CD909AEBBBAFF48354B15961ED506A3304D730AD01CFA0
                                                                                                                                                                                                                  Function 0163A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 844d14ef42fb0d7ce8f60290ad9eeb04ba3713f479f2c5274d0e8fb296530ff8
                                                                                                                                                                                                                  • Instruction ID: 162ebe1271ac4b08baf45295f7e937da833bb17311b9658038b595ee3c277ba2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 844d14ef42fb0d7ce8f60290ad9eeb04ba3713f479f2c5274d0e8fb296530ff8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E14126356402119BDB25EFACDC81F6A3766BB95718F01502DFE42DB342DB729810CBA4
                                                                                                                                                                                                                  Function 016CA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                  • Instruction ID: 6884e0f2eeadfe0d7578075c39bcf2baea0bbb94e74ad19ab0a677751845fcf0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC41E43160171A9FC725CFA8CD80A7AB7AAFF80610B04862EED5287344FB30EC05C794
                                                                                                                                                                                                                  Function 016301F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: cc9a55ebe51c12f998e056c26e7d808f8cf02cda9f4c905a325c89c1fef677f4
                                                                                                                                                                                                                  • Instruction ID: 8c963298a509c106463568021c0cfe6fea0cc810f756e7570c8f8581581b7500
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc9a55ebe51c12f998e056c26e7d808f8cf02cda9f4c905a325c89c1fef677f4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9841BD3690021ADBDB14DFA8C840AEEB7B5BF88710F15816EF816E7340D7359D49CBA8
                                                                                                                                                                                                                  Function 0162EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9980cbf412127324dc2f190e7a392abcb88edafbaca2413cdcbff5588c72617f
                                                                                                                                                                                                                  • Instruction ID: e6b11049e2de496d01c4d90af9fecd973a6282113c823c5438c9e5574c3832f8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9980cbf412127324dc2f190e7a392abcb88edafbaca2413cdcbff5588c72617f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841DF722007029FD724DF68CC90A2BB7EAFB98224F14487EE966C7715DB32E8458B55
                                                                                                                                                                                                                  Function 01642750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                  • Instruction ID: 6f7e6860d8d57df6551d180d1897ef384e669daa0e05cafd13484653e2b4656a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6516C75A01215DFCB15CF98C880AAEF7B2FF84720F2881A9D915E7355D731AE42CB90
                                                                                                                                                                                                                  Function 01606154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7471aa59fe9b5b64850a82fd834ee88ab8a23f8a9bec9116790eef5d2e9eb770
                                                                                                                                                                                                                  • Instruction ID: 1fbf00a799d07f221db76763b096daa0e9fd687d899a0ada205bfc38369af21d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7471aa59fe9b5b64850a82fd834ee88ab8a23f8a9bec9116790eef5d2e9eb770
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5751E870900217DBDB2A8B68CC10BAABBB5FF11314F1482ADE525973D5D7745991CF84
                                                                                                                                                                                                                  Function 01600BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b648fa889a2e827b964e84dd71f2e4535ed115564eb9f7c8ee0c59648011d626
                                                                                                                                                                                                                  • Instruction ID: 7b33fcead152faa5d2f2dbeccd624818be71caa4677b9d0b0b1d8a66dde20d89
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b648fa889a2e827b964e84dd71f2e4535ed115564eb9f7c8ee0c59648011d626
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E41B136A402289BCF22DF68CD40BEEB7B5EF44750F0501A9E908AB381D7749E81CF95
                                                                                                                                                                                                                  Function 016C866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                  • Instruction ID: 36a3829ece6d68b83739e80bcb2219524d3bd61a5f70188857f88bba0427385c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B418375B10215ABDB25DF99CC84ABFBBBEEF88A10F14406DE905A7341D774DD0187A0
                                                                                                                                                                                                                  Function 01600887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8d1b3c96dafe29586ab718306057aeaf4d3712661851879414d6c6f60642620c
                                                                                                                                                                                                                  • Instruction ID: 51eed7ae9cc85814218518eeae0283e87a9e4ac8560b1c5fbd87994400ea1e46
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d1b3c96dafe29586ab718306057aeaf4d3712661851879414d6c6f60642620c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2241C0706007019FE72ACF28CC90A23B7F9FF49354B149A6EE55786A90E730E956CB94
                                                                                                                                                                                                                  Function 0162A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 570308119da8c5b58a4fe6b7f58b8cb3df44cd84e3266143af85acc988b0c6a1
                                                                                                                                                                                                                  • Instruction ID: 48be9e1811c35ca434fdd77c104649ec352361649d6ecb44577d265c96830594
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 570308119da8c5b58a4fe6b7f58b8cb3df44cd84e3266143af85acc988b0c6a1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B041FD32A42624CFDB21CFACCD947AEBBB1BB48360F140159D411BBBA4DB749941CFA4
                                                                                                                                                                                                                  Function 01608BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1abdfce8be51a952b066a3e1852e70d8faa8391ab4020d8a4dc177f22a3fc1fd
                                                                                                                                                                                                                  • Instruction ID: 6ef4065b5fa89ab1168d6ef5ec2dd2f9adb4aa39c26c5fbfbe73fcb23758cb95
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1abdfce8be51a952b066a3e1852e70d8faa8391ab4020d8a4dc177f22a3fc1fd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C241C132E01202DBD72ADF5CCC80B6BBBBAFB94704F14812ED9059B795CB759842CB90
                                                                                                                                                                                                                  Function 015F8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5f6d826202dd19269941b56431852874fb42aeb4ecf37fb40801259d8d843366
                                                                                                                                                                                                                  • Instruction ID: 4fc04d67133f932bfcf3a51df977ff6aed09b5407fb0fd23de5d6878690ae322
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f6d826202dd19269941b56431852874fb42aeb4ecf37fb40801259d8d843366
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F414A315087169ED312DF69CD40A6BB6EAFF84B54F40092EFA84DB250E730DE048BA7
                                                                                                                                                                                                                  Function 015FA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                  • Instruction ID: de72ec02d75e956edd58623392fc92261c242fe4a94b58b5a26dae0a25df7860
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7412831A00212EBEB11EE1CD8407BEBBB6FB90754F15806EAE498F344D7368D40CB92
                                                                                                                                                                                                                  Function 016009AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 15dc2d6e9c1e77195f3d7f75ee33cc15109b6833000ea8121abc07f873ffa906
                                                                                                                                                                                                                  • Instruction ID: eb6426c67109e3ca91bc1678950d0c435960f0714989da178df20498bb00c3b0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15dc2d6e9c1e77195f3d7f75ee33cc15109b6833000ea8121abc07f873ffa906
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2414971640601AFD72ACF18CC40B26BBE5FF54354F24866EE8598B392E771E942CB94
                                                                                                                                                                                                                  Function 01630710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                  • Instruction ID: a164edc9c4a70978a04ce520e804e6321f911a962286b32a27773e6fe7e2ab1b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67415975A00705EFDB25CF98C980AAABBF9FF48700B21496DE156D7250D330EA48CF90
                                                                                                                                                                                                                  Function 0160262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0904134fed51b39793b1a404ba6a5713f414e4e73fea6fedb0379e70a6f4a9b4
                                                                                                                                                                                                                  • Instruction ID: 8b08c61095e5e1b8c90c2b437378965f354c76cdb34739bedf7c46f59fc0c6de
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0904134fed51b39793b1a404ba6a5713f414e4e73fea6fedb0379e70a6f4a9b4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A741B0B0901711DFCB2AEF28CD64A6AB7B2FF44310F1581ADC5169B3E1DB30A941CB51
                                                                                                                                                                                                                  Function 0163C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bd6ce3bcbacd708d04da277be21e0de2613c354629c1d4fc730a5eeb775983c1
                                                                                                                                                                                                                  • Instruction ID: 07c19a9444a90d9f3e8b2d6f63023e6741c5a12e76ecbdf5c73f2082f490fb3c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd6ce3bcbacd708d04da277be21e0de2613c354629c1d4fc730a5eeb775983c1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 853179B2A01345DFDB11CF58C840799BBF5FB49714F2181AEE519EB391D3729902CB94
                                                                                                                                                                                                                  Function 016807C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7517ff29e75fcc417abfbdfdfc684954fdb6c35e589e2f8060301e43ab866d33
                                                                                                                                                                                                                  • Instruction ID: 7033ec9789288175e0d6696be01705cdc763f1287f9e3fc77171b7a58bedf8e0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7517ff29e75fcc417abfbdfdfc684954fdb6c35e589e2f8060301e43ab866d33
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69419CB29183019FD720EF29CC45B9BBBE8FF88614F004A2EF998D7250D7709944CB96
                                                                                                                                                                                                                  Function 015F80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: cc2b738764d38b593861fb7e349065f4c43b55ba2b0012475fc19f7c7c09d772
                                                                                                                                                                                                                  • Instruction ID: eb2ddffeb8fdf4d2529ce8955741e1835d0bef388f08a4bb6288a8302fdf5692
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc2b738764d38b593861fb7e349065f4c43b55ba2b0012475fc19f7c7c09d772
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1941CF71A05616AFDB15DF58CC80AADB7B2BF54760F24872DDA16AB280DB30ED418B90
                                                                                                                                                                                                                  Function 016805A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 43c60ad03a87c2ca038b6f33c0efda23eb95ee2a9ac15d2325faf92eb7580852
                                                                                                                                                                                                                  • Instruction ID: 0df28aa2584723e477c24d48b62a75c7d2dec66c5cd0b06dfb22770558dc0757
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43c60ad03a87c2ca038b6f33c0efda23eb95ee2a9ac15d2325faf92eb7580852
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8741C2726046529FD320EF68CC40A6AB7E9FFC8700F140A1DF99597780E730E949C7AA
                                                                                                                                                                                                                  Function 01604859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bc2789ee84ef2799fbb706ffefacc722730ff8be780a0d4e9a04c70c6859152d
                                                                                                                                                                                                                  • Instruction ID: b3caaf003d9f6dcf8b36ba7b629e3a9140c1b9d8deee9806e16fcd7ab80f9377
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc2789ee84ef2799fbb706ffefacc722730ff8be780a0d4e9a04c70c6859152d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E94180702043028BD73ADF18DC94B27BBAAEF80354F14487DE655872E1DB70D951CB51
                                                                                                                                                                                                                  Function 015F8B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a2ca379b0cda95f3766dcd30c25c31228412df43013511a8cddd9d31271245ac
                                                                                                                                                                                                                  • Instruction ID: 2ed31e9272fe14be092bb99d15fb8fae84f61d13ee2c87287ac860c5a0f52a2f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2ca379b0cda95f3766dcd30c25c31228412df43013511a8cddd9d31271245ac
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81417F71A01609CFCB15CF69C980A9DB7F2FF88320F15862ED666AF390DB34A941CB40
                                                                                                                                                                                                                  Function 016102E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                  • Instruction ID: 1c687f90f886c9dff857c4e8807f63e31ef3d9c7f8eb628712c4d793081c87af
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90311631A04285AFDF228B6CCC40B9BBFE9AF14350F0845A9F855D739AC7749985CBA4
                                                                                                                                                                                                                  Function 016AE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 31db3f77d76b6413c44e030afec0b9dfe4b7c3e0c3d07847f02eaf84b26a7ea6
                                                                                                                                                                                                                  • Instruction ID: 53514ff8f02f37717d1175dcd4271af0574c54b647b768a1a8faf9c2d2155ba1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31db3f77d76b6413c44e030afec0b9dfe4b7c3e0c3d07847f02eaf84b26a7ea6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF31D735B41716ABD7229F658C41FAF7AB9EB59B50F40002CF600AB391DAA5DC01CBE4
                                                                                                                                                                                                                  Function 016B4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d83e98d137e6fe31bed58efef533a147c657e9975908ea0160be68f06da7194c
                                                                                                                                                                                                                  • Instruction ID: 1d6d05dd5cfc432d3a9392e73e889d8ccc7414d8fda6b7ed580cab61e39755ca
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d83e98d137e6fe31bed58efef533a147c657e9975908ea0160be68f06da7194c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B31AF326052018FC321DF1DDCC0EA6B7E6FB84760F1A446EE9968B356DB31A891CB95
                                                                                                                                                                                                                  Function 01604260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ced9c6ad80af3694e74d90b26c015b7f2747dd42fb88a03a9a013403092e38cf
                                                                                                                                                                                                                  • Instruction ID: a874c0888db3d4c87444d682f39ec2e1f591a170554f34bb6dc0eb574a1ffc29
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ced9c6ad80af3694e74d90b26c015b7f2747dd42fb88a03a9a013403092e38cf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A418A71200B459FD726CF69CC80B977BE9AF45714F04882DE69A8B390CB70E804CB90
                                                                                                                                                                                                                  Function 016B4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e4cf737876e1c00a3ebf2efa3212736181b217149731d54146cbbe2adbae96d0
                                                                                                                                                                                                                  • Instruction ID: a23672ee6a7a0f21896a1491ced93fa69b067f943e50cd0e847d4eeb32c85b1c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4cf737876e1c00a3ebf2efa3212736181b217149731d54146cbbe2adbae96d0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C318F716042018FD320DF28CCD0AAAB7E5FB84B10F15456DF9969B396DB30EC55CB95
                                                                                                                                                                                                                  Function 0167EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5b1ccbdace233e7fe6da1ddf0900fb4b6c9b0688147f9c86feb6631c5611a2a4
                                                                                                                                                                                                                  • Instruction ID: 1ea938e4e3281d8502e9c5a5253e0b3b53735b248268dfb8717f96fbc351eb33
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b1ccbdace233e7fe6da1ddf0900fb4b6c9b0688147f9c86feb6631c5611a2a4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0631A1327016829BF326576C8F48B257FDABB41B44F2D00E4AB469B7D2DB29D849C235
                                                                                                                                                                                                                  Function 016C61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 099dbe09285067250e5606b3dd8cfa75cdca16d61be0f33d10d51e6f36f4776c
                                                                                                                                                                                                                  • Instruction ID: 904191ac644465927f6feb71ea7e1ef31052baaa2f91f19c62de650e9189f984
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 099dbe09285067250e5606b3dd8cfa75cdca16d61be0f33d10d51e6f36f4776c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A531D276A00156ABDB15DF98CC40BBEB7B6EB48B40F45816DE900EB344D774ED01CBA8
                                                                                                                                                                                                                  Function 016A483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 784227420f888a6bae5fc3f56f52e9882e67930bbd7450448396ee2c2702d089
                                                                                                                                                                                                                  • Instruction ID: ce1d412ccc4d84f461db8956072e6ad586b453417adb97b97e6a4321b96a5d67
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 784227420f888a6bae5fc3f56f52e9882e67930bbd7450448396ee2c2702d089
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1315076A4012DABCB21DF54DC84BDEBBBAEB98350F1400E9E508A7250DB70DE91CF90
                                                                                                                                                                                                                  Function 0162EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9a3cbc0a00d0ef4be1b35b44df02836c8d72491b22006ff9f6754fdae13e5d63
                                                                                                                                                                                                                  • Instruction ID: 594f173f42d62435c7277bf29bd5acd3a3b31c5a4deb27e96f493e4f81a7a869
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a3cbc0a00d0ef4be1b35b44df02836c8d72491b22006ff9f6754fdae13e5d63
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9531D532E00625AFDB21DFA9CD40AAFBBB9EF18350F014479E916D7250D3719E008FA0
                                                                                                                                                                                                                  Function 016C60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 206cae13f858ed961077e1a6bcd281167f1a85319e2c94d72a00f4c62a45702d
                                                                                                                                                                                                                  • Instruction ID: 62037235dee3c5a3f610bfca6ccb15cfc4dd381290ce704a5813018ccfe29447
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 206cae13f858ed961077e1a6bcd281167f1a85319e2c94d72a00f4c62a45702d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4331C272B00606AFDB129F9DCC50B7AB7BAEF84B56F14406DE506DB752DA30DC018B98
                                                                                                                                                                                                                  Function 016007AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b7d4898d1baabb957568aa043c795cc082fd6cae9014df80195cd4dedce1292e
                                                                                                                                                                                                                  • Instruction ID: 82a1b2926fa28a61b244e7fc3009e19cc0fd300f9ef995c23fd02aa67542ecda
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b7d4898d1baabb957568aa043c795cc082fd6cae9014df80195cd4dedce1292e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8031D432A04612DBCB17DE288C80F6BBBA6BF94290F02452DFD5A97390DB30DD1187E1
                                                                                                                                                                                                                  Function 01608550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 60684bc16662941688b7031ad60aab8d5c01c33632ec3197f6a36ceec0ef529b
                                                                                                                                                                                                                  • Instruction ID: 8ce995aeb9d8fb1ecec9f7f7744747fccb0d0c273ebc3506a91fb6ab648e0fce
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60684bc16662941688b7031ad60aab8d5c01c33632ec3197f6a36ceec0ef529b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B318FB1A093018FE766CF19CC40B2BBBE9FB98700F05496DE9849B391D771E844CBA1
                                                                                                                                                                                                                  Function 0163A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                  • Instruction ID: ebaab6c8972377a63d2eb57ef59a0899c0463f1f8a3d3b6ea7b0b0789e78a521
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F312CB6B00B01AFE761CFA9DD81B67BBF8AB48650F14052DA59AC3751E730E9009B64
                                                                                                                                                                                                                  Function 016AEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e717b3fa5945c110e9b32c2fc0b9541a9ec5f239f108729c615a1ffb305d5fe8
                                                                                                                                                                                                                  • Instruction ID: c52e24ec951c0aa132f876bb2b46a76899b433438f8814139e60dcb6c91e17b8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e717b3fa5945c110e9b32c2fc0b9541a9ec5f239f108729c615a1ffb305d5fe8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04319A716053028FCB11DF19C94095ABBF2FF89218F8449AEE49A9B351E332ED45CF96
                                                                                                                                                                                                                  Function 0162438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d9e8b2137c3f5545e5edd6b8efa3781600a872b61f5c542553217995fb75f3c8
                                                                                                                                                                                                                  • Instruction ID: f2abf79ce31d4e943580cb907f374b81e27323210ef207da651b039d86d9d790
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9e8b2137c3f5545e5edd6b8efa3781600a872b61f5c542553217995fb75f3c8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F31B132B01A269FD720DFA9CD80A6ABBFAEB94304F00852DD156D7654EB30DD41CF90
                                                                                                                                                                                                                  Function 015FCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                  • Instruction ID: ddce456b5b1bab4ac39753f566ec443b374711f546c6b8831c3d2ce9cb89c699
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E210436E4065BAADB109BF9C811BAFBBB6BF54740F0585799E25EB340E370C90087A0
                                                                                                                                                                                                                  Function 015FC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bc8a322e5f40afce4e47d660cb3da354662c81fdc1d85a4d28c18dc2bb31ef09
                                                                                                                                                                                                                  • Instruction ID: f2c30586d705b2694e8ae3f098a1e8bb70ff941e9ed95056b69884ac21818083
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc8a322e5f40afce4e47d660cb3da354662c81fdc1d85a4d28c18dc2bb31ef09
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B73145B15012118BDB21AF68CC50BB977B5BF40314F5881ADDD869B3C6EB749982CBA4
                                                                                                                                                                                                                  Function 016BC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                  • Instruction ID: 82e5d55b4e4c5d9f05e2a7b6c994bba95aea573a352ae6c6ee5ac41714609831
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B21303A60165277CB15AB958C40AFFBBB6EF80710F40841EFA5587651E738DB80C764
                                                                                                                                                                                                                  Function 015FE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bb3ea09e2920b0c057dc2b75d566f75e35ab14aaee9c0ba075140e02e8bfc4bc
                                                                                                                                                                                                                  • Instruction ID: ff3559a669c04a6eec0ca362f1984e896f61102c335c000e6f3dd54475d2f992
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb3ea09e2920b0c057dc2b75d566f75e35ab14aaee9c0ba075140e02e8bfc4bc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3631C731A4051C9BDB319F18CC46FEE77BAFB15750F0204ADE745AB2A0D6749E808F90
                                                                                                                                                                                                                  Function 01634588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                  • Instruction ID: 30c995dfe4f0cb594056cb8bfd769ed60ea6908b95e8e019a57b8a4ad1e2b60d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08217135A00619EBCB15CF58CD80A8EFBB5FF89714F1080A9EE159B242DA71EE05DB90
                                                                                                                                                                                                                  Function 016344B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a81a2d21c889f45ad2777b50aa3d61aa25bb3128f428558b417766049d836193
                                                                                                                                                                                                                  • Instruction ID: 668f5980fc0fadd8152dd7d3c83c74175f04711d30794237475576d109f6035b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a81a2d21c889f45ad2777b50aa3d61aa25bb3128f428558b417766049d836193
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A21B172A087459BC722DF58CC40B6BBBE5FB88760F044519FD559B781DB30E901CBA2
                                                                                                                                                                                                                  Function 015FE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                  • Instruction ID: f83bcb7dd6a2f6953e46f9c0f99f013ba609279d0bd1e379961816a52436ae02
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6316A31600605AFD721CB68C985F6AB7FAFF45354F1549A9E6528B2A0E730EA41CB50
                                                                                                                                                                                                                  Function 0167E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a74464fe64d10f02ff3311b2633e73e40d84cbe503d5795f75f96e88a8adb5ac
                                                                                                                                                                                                                  • Instruction ID: 3794014929bdceae678862724a1d51138aa02e714487daa542e7c4ac918c65b0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a74464fe64d10f02ff3311b2633e73e40d84cbe503d5795f75f96e88a8adb5ac
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD31A076A00215DFCB14CF1CCC849AEB7B6FF84304B154499E8099B3A1E732FA55CB94
                                                                                                                                                                                                                  Function 016806F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0c4c89d5b32b9deba30e10b01c52d3851d44ab30f5ec608e27d31e564a0c29c7
                                                                                                                                                                                                                  • Instruction ID: 89792d59d792bf46989d8b71fe0b348fc04ad8e5b278f50b41bfaa3decf4b372
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c4c89d5b32b9deba30e10b01c52d3851d44ab30f5ec608e27d31e564a0c29c7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB219E729005299BCB10AF59CC81ABEB7F4FF48740B550069F541AB240D778AD41CBA4
                                                                                                                                                                                                                  Function 0168019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 476d5b4dd8362809ae4c4871758793b831bb298468a185a5e13fdde1e684c679
                                                                                                                                                                                                                  • Instruction ID: 814f85d71a6ce5f7987063c7584f52f83995489cba636cd64df6f427ff08b8be
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 476d5b4dd8362809ae4c4871758793b831bb298468a185a5e13fdde1e684c679
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7121AB72A00645AFD715EBACCD40A6AB7B9FF48750F144169F905D77A0D734ED00CBA8
                                                                                                                                                                                                                  Function 01680283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 051e357023f0f4e51882f59565b7bcf474dd5578b131c467d1fa70f806733c5f
                                                                                                                                                                                                                  • Instruction ID: b9b5a3949b7b6d9d6cd64657f9f6542534c6be74d9ae0c76ee7a3be8447c5594
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 051e357023f0f4e51882f59565b7bcf474dd5578b131c467d1fa70f806733c5f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0121D0729043469FD721EF6DCD44B6BBBECAFA0250F084A5ABD80C7351D770C909C6A2
                                                                                                                                                                                                                  Function 01622835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 34abda650de9d119e9a5d42386583195bb3a7b166e68f17c9a0f63ab4b2b0fd4
                                                                                                                                                                                                                  • Instruction ID: 1f3a9fa1ec381093024378ab4c9c578e36185c20e8c3fb6fa7139e1714f239ab
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34abda650de9d119e9a5d42386583195bb3a7b166e68f17c9a0f63ab4b2b0fd4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21213E33704A919BE322576CCD14B157B99AF41774F2A036CFA21AF7D2D7ACC801C515
                                                                                                                                                                                                                  Function 0163A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ae595dc8289f72827cb56bad2dd7730381eea3c8f96b496a0eb16075cdcb74fe
                                                                                                                                                                                                                  • Instruction ID: f2f7d3a1818d101f6e217a9f366623a89dcef31d42bc4289675b6bbee553d92e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae595dc8289f72827cb56bad2dd7730381eea3c8f96b496a0eb16075cdcb74fe
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6421A939200A019FD725DF69CC00B56B7F6FF48B04F24856CA55ACBB61E371E842DB98
                                                                                                                                                                                                                  Function 016BA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d41d2ffa9c72daa3a25ff12c8314dfae2bcd8ebbbf53f4666b9ba06cbe8efd7b
                                                                                                                                                                                                                  • Instruction ID: 01a4336a13c1b3780877ffef1f5b3c5eeb9e73d4bd170dc92e40ef49a0b91785
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d41d2ffa9c72daa3a25ff12c8314dfae2bcd8ebbbf53f4666b9ba06cbe8efd7b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9111E773280A117FD33256999C81FAB7ADADBD4B60F510068F759CB280EB60DD018795
                                                                                                                                                                                                                  Function 01680946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 568eaccac43033f92aecc37204523ee11888a1f4caa00d06fa356497699039ff
                                                                                                                                                                                                                  • Instruction ID: 1e075e8d69f4f6d143e91e8e2ed4b48094b1dac27a6c7b6ce514456112d95a24
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 568eaccac43033f92aecc37204523ee11888a1f4caa00d06fa356497699039ff
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2121E9B1E00249ABCB24DFAAD8819AEFBF9FF98700F10012EE505A7340D7709945CB54
                                                                                                                                                                                                                  Function 016980A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                  • Instruction ID: 27f55ee2505ee45b57e41cdb3ef32634d5532c39e225f8fb863662f5f6a0f453
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24216DB2A0020AAFDF129F98CC40BAEBBBEEF89351F24445AF901A7251D734D9518B50
                                                                                                                                                                                                                  Function 01630124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                  • Instruction ID: da1fb915a29729504c076b3ce3db215b54b7920a1efb59e49a03cdf1da6acc01
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3411DD73A00605AFE722DA88CC80F9ABBB9EBC0B55F100029F6018F290D671ED48DB64
                                                                                                                                                                                                                  Function 01608770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 060eb5a7dc7c62ce44421d178065dfb7a1f19dd17896d81af01ecc787f0cfe27
                                                                                                                                                                                                                  • Instruction ID: f9f2c07107831ee0e63e51f2505acfa7f342a899a440c7e0305126df8b586d79
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 060eb5a7dc7c62ce44421d178065dfb7a1f19dd17896d81af01ecc787f0cfe27
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB11B631B016119BDB1ACF4DC88096BBBEDAF5A710B15407DEE099F349E7B1D9018B90
                                                                                                                                                                                                                  Function 0163AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                  • Instruction ID: 97f32edf66b35d028bd848aee6d02a1dc34aefda04449601239383934a7b2f23
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5217972600A41DFD7298F89C940A66FBE6EBD4B10F14887DE58AC7720C731EC01EB80
                                                                                                                                                                                                                  Function 016080E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 20b3c6feef7647843d98110b3448f52ddb40374b3e0d99e181955fde0d5504fc
                                                                                                                                                                                                                  • Instruction ID: 80ca9193b533ddd04e229f3024d8738dd5256796df71e6d539260e4ab2ed8a91
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20b3c6feef7647843d98110b3448f52ddb40374b3e0d99e181955fde0d5504fc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52219F35A00206DFCB19CF58C980A6EBBB9FF88318F2441ADD105A7351C771AD06CBD0
                                                                                                                                                                                                                  Function 0163674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c5b30430e93540c80031e1a0cd1d9cac0bf8e91443b92a1a35a19184e15f7a00
                                                                                                                                                                                                                  • Instruction ID: 2ce77ff4a48d7a9b30bbf7f0e03becbcdaf72593a0ad889507c47d66d939d489
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5b30430e93540c80031e1a0cd1d9cac0bf8e91443b92a1a35a19184e15f7a00
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6216775600A00EFD7218F69CC81B66B7F9FB84250F44882DE5AAC7250EB30EA50CBA4
                                                                                                                                                                                                                  Function 01696870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3585aebd28c04ce299968f8f069706b3a4bf92f06d8f789b86fc49d605b6297d
                                                                                                                                                                                                                  • Instruction ID: 3eb3392f4173eb781fa8ab12fd3b776bdd8b49ac17695cbb5f61e4e398d81c0a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3585aebd28c04ce299968f8f069706b3a4bf92f06d8f789b86fc49d605b6297d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B11A332240615EFCB22DB5DCD40F9A7BADEF957A0F114029F205DF261DA70E901C7A0
                                                                                                                                                                                                                  Function 0162E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e3b210386fc92a9ca8a4a02e5e1eb78a090566220e7ba5f712140807a4d03ee1
                                                                                                                                                                                                                  • Instruction ID: 7059127c840dd3f1deeebe7431fe883f354b39b00b3c7f025350d4420d8cacf4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b210386fc92a9ca8a4a02e5e1eb78a090566220e7ba5f712140807a4d03ee1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF112B337005249FCB19DB29DC91A7B726BEFD5370B29453DD922CB394EA319802C794
                                                                                                                                                                                                                  Function 016366B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a6df32defd38f1ba8780bc5f6acb63cb8665de39e427b4312b4e2df9d38a8ff5
                                                                                                                                                                                                                  • Instruction ID: 61206de7ac4c665e63d5259c8dc28b96c4de63f6a223c6e81856b27e05bcf640
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6df32defd38f1ba8780bc5f6acb63cb8665de39e427b4312b4e2df9d38a8ff5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C11CE76A01205EFCB26CF59CD80A6ABBF9AFC4650B55807DD9059B315E730EE00CBA0
                                                                                                                                                                                                                  Function 016CA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                  • Instruction ID: 62d0e03a8a0ba8fb4d2a911d6798bc47d3a154779398a5d442d0c8593a83860c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94110436A10909AFDB19CB98CC41BADBBB6EF84710F05826DEC4697340E631BD41CB84
                                                                                                                                                                                                                  Function 01600AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                  • Instruction ID: 30db4ca2d86237a7bc2953cba4501c35977b1790ef1e4a69a37bcfb76b732c68
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D21E3B5A40B059FD3A0CF29D840B52BBF4FB48B10F10492EE98AC7B40E371E814CB94
                                                                                                                                                                                                                  Function 0168E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                  • Instruction ID: 136db078c8f7497c4622a048bd63f3366d687a9351917bc2c75419a68475e8e0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7511C672620601EFE721AF49CC44B5EBBE6EF45754F06862CEA0A9B260D772DC40DB90
                                                                                                                                                                                                                  Function 016227ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: de2126215886189e01424d1608dd6d390f55b27df4d48c2dbdd7817aed6387e0
                                                                                                                                                                                                                  • Instruction ID: 0f0082ed4a7790eb01f7d49883ffd1c3791c6b150a07e3e36550bd856dde5332
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de2126215886189e01424d1608dd6d390f55b27df4d48c2dbdd7817aed6387e0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F012672705A85ABE316A6BDDC54F277B8DEF90390F0A006DF9019B750DA58DC01C2B1
                                                                                                                                                                                                                  Function 01604690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 065c5005bfa0891f1248b4f9fb70e6178b56b173ea047ea6104901b24fc33047
                                                                                                                                                                                                                  • Instruction ID: 179ede58a211d28ec83b327aff4de637fae721ca6e429b4803d2fc5457165e59
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 065c5005bfa0891f1248b4f9fb70e6178b56b173ea047ea6104901b24fc33047
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56119E36200655AFDB3A8F5DDD80B677BA5EB86764F044119FA048B790CB71E800CF60
                                                                                                                                                                                                                  Function 016D4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e20a4877622c121e0cbfb23c15f1fd712021bd56f4235ec0018bc460bc075fe8
                                                                                                                                                                                                                  • Instruction ID: 8b67601765d52ece2deab37889a234e64b5be30698f57741b36b2e44e2046328
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e20a4877622c121e0cbfb23c15f1fd712021bd56f4235ec0018bc460bc075fe8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84110632A006119FD721DB29DC40F26B7A6FFD4310F184429E686C7B50DF30AC02CB90
                                                                                                                                                                                                                  Function 01636620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1e6d15b666f08832a6d4e9070ad8110e5f20e55f4f35918c427c2bd1ff567bdd
                                                                                                                                                                                                                  • Instruction ID: fccd7cd23f3eee7de70ed21d7f20a0b2aa09489e17a1b7b006da1c6c1b8c87e7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e6d15b666f08832a6d4e9070ad8110e5f20e55f4f35918c427c2bd1ff567bdd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3411CE72A00625BBDB22DF59CD80B5EFBB9EF85790F550058EA02A7340D730AE019BA5
                                                                                                                                                                                                                  Function 0162EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 146231005f54c0cd478c330444786eb077e1ccd56a2e57f1a09d7f93f16cf3f3
                                                                                                                                                                                                                  • Instruction ID: 742d95db91e9c2bf7748e1780df360cb40ab37e47bcf2f1d62059dd04fe48844
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 146231005f54c0cd478c330444786eb077e1ccd56a2e57f1a09d7f93f16cf3f3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC01CC715015099FC325DF19DC04F26BBFAEB81314F21817EE2068B2A4CB70AC42CF98
                                                                                                                                                                                                                  Function 0162E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                  • Instruction ID: 5faf359a29fd57a5376448fa2406cd7aeb83df851fd99a842d48642d1b576bb2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A11E572612AD2DBE723972CED64B257B99AF40798F1900F0EE419B742F72AC842C650
                                                                                                                                                                                                                  Function 0168E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                  • Instruction ID: bbf66bf759bd904cc1bf4f3c5ddac5a9a4d90a85d537c12e1680193418fdd611
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14019236700105AFE725BF58CC00F7ABAAAEB95750F058628EA059B261E772DD41C794
                                                                                                                                                                                                                  Function 015FA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                  • Instruction ID: 233ebc96e77b81f7bdae232a8ce866f089d497626a7de97ea878dc47e4eb13c3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87012635604B219BDB319F19E840A367BE9FF55770700892DFE998F281C731D400CBA1
                                                                                                                                                                                                                  Function 016D4940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d58d1322e878fc40e7e15308daeacd84bbc1c6b38c2ce068584ae25e43968fcc
                                                                                                                                                                                                                  • Instruction ID: e1716e0260916dd98632f8312e7e4f3a4329c0cb4290a1d63eadf49b8668b3f2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d58d1322e878fc40e7e15308daeacd84bbc1c6b38c2ce068584ae25e43968fcc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A01D6729416119FC332DF1DDC40E22B7A9EB91770B254259E9699F6AADB30DC01C7D0
                                                                                                                                                                                                                  Function 0167E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 71c6d5a795c3a0e64ec95507197e66c1a2bfa8403215fd2d2d4b0c19b39d9ca2
                                                                                                                                                                                                                  • Instruction ID: a8e7a8370b19876a22ec6e33c57744d771b50d7098fc767324cd85178802d835
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71c6d5a795c3a0e64ec95507197e66c1a2bfa8403215fd2d2d4b0c19b39d9ca2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B811E132241201EFCB16EF09CC80F067BB9FF54B44F1000A9E9058B6A1C331ED01CA94
                                                                                                                                                                                                                  Function 01606259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5132486b1eddcb76cf5b65da322535104251b70dabcd1bd7ffa344b08a6f1471
                                                                                                                                                                                                                  • Instruction ID: 6cf64fe1b51b4367e8e3a2c7440899a7166e7966f39e02d9009afe0a5509b588
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5132486b1eddcb76cf5b65da322535104251b70dabcd1bd7ffa344b08a6f1471
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07118271541229ABDB29EF64CC51FE97375BF04714F5041D8B314A61E1D7709E91CF88
                                                                                                                                                                                                                  Function 01686050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d18f366008b3051267cc4723f93a1828c647d6e54a771a1c81577b051f5a701e
                                                                                                                                                                                                                  • Instruction ID: 3f14cb7dd29e464b843ac43794876dab61d8689273c782bc5b867629c9f21086
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d18f366008b3051267cc4723f93a1828c647d6e54a771a1c81577b051f5a701e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69112977900019BBCB12EB94CC80DDFBB7DEF48254F044166E906E7211EA34EA15CBE4
                                                                                                                                                                                                                  Function 0160208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                  • Instruction ID: 4b1c20fe870abefb01f63fe94bb6c5a40bdf76eaee115dffb2a3d4f699786b46
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0801F5326002108BDF1ACA2DDC94A53776BBFC4610F5544ADED068F386DB718C81C790
                                                                                                                                                                                                                  Function 01696500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7e56808508e4ab6174cf2374c9bed6633458e0a8724209b66ba850641145ba99
                                                                                                                                                                                                                  • Instruction ID: 0e6017ebba26b1023951dfea2090f9bc1599d986dbbc8cad0d14357d7e2df5f5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e56808508e4ab6174cf2374c9bed6633458e0a8724209b66ba850641145ba99
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA11A5766442459FD711CF58DC00BA5BBB9FB56314F098159E8458B315D731EC41CBA0
                                                                                                                                                                                                                  Function 0168C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: f5fa66d6b061a318239fc4ef7b191de20d95322212ff2319efe22b65052d3999
                                                                                                                                                                                                                  • Instruction ID: bcb4f369f32273838e2216548e8bc93a17cd253385a36bd846893e094d6a05ca
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5fa66d6b061a318239fc4ef7b191de20d95322212ff2319efe22b65052d3999
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C1118B1E002099FCB00DFA9D941AAEBBF9FF58250F14406AA905E7351D674EA01CBA4
                                                                                                                                                                                                                  Function 016AEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8aeb93d19bc54adb227ffeb270cd30f04913f3731bbd3a5ec08c9bb837f63292
                                                                                                                                                                                                                  • Instruction ID: ee3b2da70c0209e1e3ad45a9916072dde586fcf027e02160ae920309f377527a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aeb93d19bc54adb227ffeb270cd30f04913f3731bbd3a5ec08c9bb837f63292
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2401B5311401119BCB32AF15CC60936BBBAFF51650B98842EEB455B311C722EC41CF95
                                                                                                                                                                                                                  Function 015FC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                  • Instruction ID: 220e9dea657df7454a1a4107b3480c9ca1d73d8b8a032c678ae89dc9a933d374
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4401DD32100705DFDB229669CD00E6B77EEFFC5214F04482DEA468B650DF70E502C750
                                                                                                                                                                                                                  Function 016420F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 132b84e73f15147d2e322cae360d26925465c2df8e458ed021a4d0bb77aa85e2
                                                                                                                                                                                                                  • Instruction ID: ec332d4ec8f2ee6aca28c24ed4f7760738c6bd0b26cc6276737755849b44124f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 132b84e73f15147d2e322cae360d26925465c2df8e458ed021a4d0bb77aa85e2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1116D35A0120DABDB05EFA4DC51BAE7BB6EB44244F10409DFA0197350DA35AE11CB94
                                                                                                                                                                                                                  Function 0163E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 16f5a4795cc0a46fc8948f4e412ea1853ace013e3463caaf90e6ff45130d9ffd
                                                                                                                                                                                                                  • Instruction ID: 997338460f2fe23494f3544f993071252c823afbc01edb2ac68305d075909498
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16f5a4795cc0a46fc8948f4e412ea1853ace013e3463caaf90e6ff45130d9ffd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B201DF71201A02BBC311BB29CD80E53BBBDFB946A4B04062DB20683660DB24EC11C6A8
                                                                                                                                                                                                                  Function 016969C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b82bdab9f795b0beccfcef365a79d57f9059dcf0d3ca602482778a805cb39341
                                                                                                                                                                                                                  • Instruction ID: 7c235cf771204e6655f3985f937355c9cd83f6811f8ac43080ddd5149dd7fd0c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b82bdab9f795b0beccfcef365a79d57f9059dcf0d3ca602482778a805cb39341
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D01D8322143129BC720DF6ACC48A66BBADEB54660F514129ED5987280E7349912C7D1
                                                                                                                                                                                                                  Function 0168C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 85612068b2462e55b8937047b51bba399d462ebc6b589ac1970611ef0028d742
                                                                                                                                                                                                                  • Instruction ID: 84782d5a5957964f07fb2db959c1bcbf3e26c4f911f5809ec38efc61a2bf52b6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85612068b2462e55b8937047b51bba399d462ebc6b589ac1970611ef0028d742
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04115B71A01209EBDB15EFA8CC41EEE7BB6EB48250F004159F90197340DA34E951CBA4
                                                                                                                                                                                                                  Function 0168C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0ba418532a96adc2c60437c3ab4999617a6f488357bd5397c5c8d284de708f04
                                                                                                                                                                                                                  • Instruction ID: 3a038274a8bdd0fe6fab5bc0940e8ad35b060684f84bf0764cc0350a9c7e9f9e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ba418532a96adc2c60437c3ab4999617a6f488357bd5397c5c8d284de708f04
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E115E716183059FC700DF69D841A9BBBE4FF98710F04455EF998D7351D670E901CBA6
                                                                                                                                                                                                                  Function 0168CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2d9bc1e882bb14615e666dc98623784625b22754bf0970fb52cdba916869b922
                                                                                                                                                                                                                  • Instruction ID: 7550267836d58bf2a1e099d323cb0df946ddc331787e6479e1bd39d5837dc0de
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d9bc1e882bb14615e666dc98623784625b22754bf0970fb52cdba916869b922
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85117C716083049FC300DF69C841A5BBBF4FF99750F00451EB998D7354E630E900CBA6
                                                                                                                                                                                                                  Function 0161E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                  • Instruction ID: 4ae614d7dd1476db5dc2322068f8b8d75f0a0ff338d7a4c99e89c3e3cb6c38f1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A015632200680DFE323DA1DCE48F267BE9EB54B54F0D04A6ED05CB7A2D729DC41C625
                                                                                                                                                                                                                  Function 015F826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0483b23d0b8a2735f7712ce3f7180115b1c38dcf1f7a7a1ac0c753cf6e16f0b8
                                                                                                                                                                                                                  • Instruction ID: 5b2ef7fdb90e46d7bd44ea77f206b1fddc5d9b1d8bd0d7649a4c5a3efbaa7469
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0483b23d0b8a2735f7712ce3f7180115b1c38dcf1f7a7a1ac0c753cf6e16f0b8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E01A236B10505DFDB14EB69DC14AAE77FAFF81220B19416D9A01AB780EE30ED02C794
                                                                                                                                                                                                                  Function 016AEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 8cf1989b214219e4d8f1ce6d3e281a6e5cbb67b61d553d73d0e0811ea52be35b
                                                                                                                                                                                                                  • Instruction ID: 4bbb13addecd02afd84119e4d492f04b08694750c30b386fac5542a49f01cfac
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8cf1989b214219e4d8f1ce6d3e281a6e5cbb67b61d553d73d0e0811ea52be35b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62018F71280601AFD3315F1ADD40B12BAA9AF95B50F15442EF3069B3A0D7B1E841CB98
                                                                                                                                                                                                                  Function 01602582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 118aa1b5204f29dd9bed986f5b2362e821e86f43e692220fb162e82deaa6dbf4
                                                                                                                                                                                                                  • Instruction ID: ab2d03519b330922da9a2d8da613ce6cb4127e4f81af6ff1e1bd49069e7f816f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 118aa1b5204f29dd9bed986f5b2362e821e86f43e692220fb162e82deaa6dbf4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9F0F933641711BBC7379B568C54F47BEAAEF84B90F14406CA60697740D630ED01CBA4
                                                                                                                                                                                                                  Function 0162C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                  • Instruction ID: 6703557266adc0339eb368b49cf6b87277d9881f7eda72a0daaea4d654b3f2dd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0F062B2A00A25ABD324CF4DDC40E57FBEADBD5A90F05812DE555D7360EA31DD05CB90
                                                                                                                                                                                                                  Function 016D634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 43abf48e24c1653806596c73b66bf8e97dd9a823e2dfc3f0091b74f96bf74a73
                                                                                                                                                                                                                  • Instruction ID: e761a98c906c3fd0a0d7b26a6d2b5f71dec7edf7f38f5aeb29b20149e41f5301
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43abf48e24c1653806596c73b66bf8e97dd9a823e2dfc3f0091b74f96bf74a73
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30017C72E10209EBCB00DFA9D941AAEB7F8FF58300F10402AE900E7350DB74DA018BA4
                                                                                                                                                                                                                  Function 015FC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                  • Instruction ID: 93b398003952c0aa6568e7d25ae335a2dd9da203513c937115af9baa6a3ce2d3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F0FC332046279BD7321A598840F2FA595EFD1AE4F1A047DE3059F284C9648D0196D1
                                                                                                                                                                                                                  Function 016D625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a527f34fc91ab4d3e5ab0bb060f0b84db35fd9d465736f703ac9f1f71e2aad51
                                                                                                                                                                                                                  • Instruction ID: b8e3dfc74e8b9ef5f14bc26ba0d82d1c7812140b2bbcd1fb00e3275b370af3f3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a527f34fc91ab4d3e5ab0bb060f0b84db35fd9d465736f703ac9f1f71e2aad51
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D017C71E0020AEBCB04DFA9D841AAEB7F9EF58300F10802AF900E7350D674AA01CBA4
                                                                                                                                                                                                                  Function 016D62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 061e0ae750dcb9e945bc6bed63c48834098c7e8af5bd5c07219e48b5a77336ee
                                                                                                                                                                                                                  • Instruction ID: 7ae0f028329149357ff141ab7384afe624417570905802f67fa7a05eaf024c47
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 061e0ae750dcb9e945bc6bed63c48834098c7e8af5bd5c07219e48b5a77336ee
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB012C71E00209EBDB04DFA9D941AAEBBF8EF58704F54406AE915E7390DA749A018BA4
                                                                                                                                                                                                                  Function 0163CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                  • Instruction ID: 2d68fb5aac4d7defd21a5a1d66e85e187ae7a62d35fcfbf82181622f9326723c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF01D6326016859BD322971DCD09F59BB9DEF81750F094066FE049B791D7B5C802C225
                                                                                                                                                                                                                  Function 016D61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0502df2ccfd914c4e130b5f1b58f55df1a835d396078da8f69c4cee38e9281b9
                                                                                                                                                                                                                  • Instruction ID: 032ef43868bf126cfbcebab44d75b7e38ec8b397868159b08d47dc81e5265064
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0502df2ccfd914c4e130b5f1b58f55df1a835d396078da8f69c4cee38e9281b9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86012C71E002599BDB04DFA9D945AAEBBB8AF58710F14405EE501A7380D774AA01CB98
                                                                                                                                                                                                                  Function 016863C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                  • Instruction ID: 198e99514e6505b514bcf92cac0c7e8e48d2fb71778fa390822976012ce2344b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDF0127220001EBFEF019F94DD80DAF7B7EEB55298B104129FA1192160D631DD21ABA0
                                                                                                                                                                                                                  Function 0168A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9df5bc3629a3409696df6754ed6d7a1ab801e7ec8e920b8a413bb2aa59c137a7
                                                                                                                                                                                                                  • Instruction ID: 4e9c484f049ae66700b6fc73b837491b1fb7b7d10b600ef0758da42d9f73e2b2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9df5bc3629a3409696df6754ed6d7a1ab801e7ec8e920b8a413bb2aa59c137a7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56018936100149ABCF12AE84DC40EDA3F66FB4C764F058216FE1966220C732D9B1EB91
                                                                                                                                                                                                                  Function 015FC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6fddbbb453b8d7ac6585dbab4d720ceae0604644ae127bcc0dcba77c98ed61a9
                                                                                                                                                                                                                  • Instruction ID: b8b9c8b57fbace254447a794b1812781b25bc1c966e6a485f72594d2aced3b34
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fddbbb453b8d7ac6585dbab4d720ceae0604644ae127bcc0dcba77c98ed61a9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02F024716442495BF324961DCC01F2232DAFBC4694FA5847EEB058F2C1EA71DC1183A5
                                                                                                                                                                                                                  Function 0163656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5baa341e38c9d7a4fe1d7e16a91e2ca2bfc452549666e71ec132b03c10dc1237
                                                                                                                                                                                                                  • Instruction ID: 6c20f0822171c38c339143bb1d38fa386e9281a193f40152a5763f5f5c4cb494
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5baa341e38c9d7a4fe1d7e16a91e2ca2bfc452549666e71ec132b03c10dc1237
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED01A971701681ABE3229B3CCD48B253795BB40B24F484164B9018B7E6DB28D5018624
                                                                                                                                                                                                                  Function 016A437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                  • Instruction ID: a23aacf9fb46d94153f609c31f03be7c427a957d1324c7823120905cf26d4200
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0F0E935341D2347EB35AA2F8C20B2EAA969FD0B41B4D453C9601CB740DFA0EC058F90
                                                                                                                                                                                                                  Function 0168E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                  • Instruction ID: 60b81d5c8091274b90f3759a1e98055869c499c446ca19810d4db09fc328db38
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BF089737655119BD331AA4DCC80F1AB779EFD5A60F1F0269A6059B364C761EC02C7D0
                                                                                                                                                                                                                  Function 0168C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 99181e66a319e0c94b6c6346c4ffc02f46257d64a7e019f1dccd25863e1a9b4f
                                                                                                                                                                                                                  • Instruction ID: 1c2bab94291fbba7dfa882f178b0558bf4c240cc00c0e33c47c6fd141c57b168
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99181e66a319e0c94b6c6346c4ffc02f46257d64a7e019f1dccd25863e1a9b4f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35F0A4716153049FC310FF68C941A1ABBE5FF58710F44465EB894DB394E634E901C756
                                                                                                                                                                                                                  Function 01630854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                  • Instruction ID: 43caa68b9eef538a33e17489c38e8f48157eb35d4f2499c5341729a8f8ef8bcc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF0B472610205AFE714DF25CC05F56B6E9EFE8344F258078A545DB2A4FAB0DD01C694
                                                                                                                                                                                                                  Function 0168C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e6220a2bea308263535d01508f0de1a02deb4cede866553b811b134ae1776ad7
                                                                                                                                                                                                                  • Instruction ID: c59c1f6d6d4836d912d7eeaf699ec9bbe8f044101aebc75e7246a80d630e9492
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6220a2bea308263535d01508f0de1a02deb4cede866553b811b134ae1776ad7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F06271A01249DFCB04EFA9C915B9EB7B5FF18300F108159B955EB385DA74EA01CB64
                                                                                                                                                                                                                  Function 016047FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7cedc28f44f5b9b3518a41b836e2a0d91654a6b8bbc2b54894c43c54fba6424d
                                                                                                                                                                                                                  • Instruction ID: 2868013a36d8426a5c68aae69912e3d649c0558a2030043c88c5845557d89650
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cedc28f44f5b9b3518a41b836e2a0d91654a6b8bbc2b54894c43c54fba6424d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEF024719026D09FE73BCB2CCC44B23BBC49B00621F0A4C6AC74987682CFA4DA80C600
                                                                                                                                                                                                                  Function 016C0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0ef26dc390114e497ce90373141533b75ab026f85ff7943a64801ebaf5014fe7
                                                                                                                                                                                                                  • Instruction ID: 773f8413b0fea07948ad0061bea4dbe0f25459d76d3ab65a21beecd30b6159ea
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ef26dc390114e497ce90373141533b75ab026f85ff7943a64801ebaf5014fe7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54F0272A4166818ACF325F6CEC903E5AB55E782814F09208DD4A05770AC67484D3C364
                                                                                                                                                                                                                  Function 0163C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3e2f01fde22b7ce93faeff4b41d5184a8e446b3480f867e9cde414fd34ffec67
                                                                                                                                                                                                                  • Instruction ID: 696b539ec115c242ad6510ea97a0217045ba32485241cfb74c8738ddc84478ea
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e2f01fde22b7ce93faeff4b41d5184a8e446b3480f867e9cde414fd34ffec67
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BF0E2719116B19FE332972CCD48B11BBD8AB837A0F08942BF506D7622C764E881DA50
                                                                                                                                                                                                                  Function 01642619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                  • Instruction ID: b44e22a0312f38eed2f21b5fc65bfc3e4217d9ca0d95d97163a725d7eda342e2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABE0D8323406016BE7119E599CD0F477B6FDFD6B10F14007DB5045F252CAE2DC0986A8
                                                                                                                                                                                                                  Function 01696030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                  • Instruction ID: bc3830636c0ec6b212a91e551986188d3698dad7dc8bf09a6fa72e2f01b79caf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AF030721043049FE7218F09DE84F52BBFDEB55364F45C02AE6099B661D379EC40CBA4
                                                                                                                                                                                                                  Function 01600710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                  • Instruction ID: 8f6da478c5a1233c31648b189a2b51bb26c336f0c4dd6b559520877f0983d939
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06F0E53A2047419BDB1BCF19C840AA67BA5FB453A0F040098FC428B341D735E982CB54
                                                                                                                                                                                                                  Function 016349D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                  • Instruction ID: c86946b143e8fa8d0afe56eecd95bbeba3e20a6ae4afb8c1f03786ae040f3b72
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0E0D832244145ABD3211A598C00B66FBA6EBD17A0F150429EA018B258DF70DC43C7DC
                                                                                                                                                                                                                  Function 016D4164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 712d47c210e1c54691da3423b8dabf26846f2ce4808d2968bb1769561b95cc74
                                                                                                                                                                                                                  • Instruction ID: 5cc904f82405e0b2c077a662178c12474e0d0bb859e622de2edb1a973da2e98d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 712d47c210e1c54691da3423b8dabf26846f2ce4808d2968bb1769561b95cc74
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1F0A931E26A918FE772D73CEE80B6677E0AB10621F0E09A8D4108BE12CB34EC80C650
                                                                                                                                                                                                                  Function 016A678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                  • Instruction ID: e1012bd6563f775b777721ce2e293aeedd635428c2e5e335b21b9a9623981065
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85E0DF32A00120BBDB219799CD05FAABEADDF90EA0F090058B602E71E0E530EE00CAD0
                                                                                                                                                                                                                  Function 016D08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                  • Instruction ID: d2df77c455194f2e1cb1dcee393b2715f5fba5ad7502a027692fd09559bfc374
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AE09B31A403508BCF259A1DC941A53BFEDDF95660F16806DE90547712C371F843C6D0
                                                                                                                                                                                                                  Function 016025E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 614c1f83a0df91c22139ebc7b5ce7fd938c30073768be870f8fec6daf9f81d37
                                                                                                                                                                                                                  • Instruction ID: 565e755591e67974542fc14bbb58e448919c303cd13817d7e62e0bc6840f9ce4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 614c1f83a0df91c22139ebc7b5ce7fd938c30073768be870f8fec6daf9f81d37
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1E092721009549BC326BB29DD11F8B779BEF60364F11452DB115571A0CB30AC10C788
                                                                                                                                                                                                                  Function 016BA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                  • Instruction ID: b949adf4276382ffbb2fc59ab2623e34a25acacc5af8944c88ddf790f3560abd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84E09231011A11DFE7326F2ADC88B927AE2BF90711F148C2DE096126F0C7B998C0CB44
                                                                                                                                                                                                                  Function 01684000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                  • Instruction ID: 04eca3b8accba45bc812faecd03f4646403f69dae1de0ff7a22eeffb3e0db041
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1E0AE343003068BE715DF19C440B627BA6BFD5A10F28C168A9488F305EB32A843CA40
                                                                                                                                                                                                                  Function 0163CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ff7ae4f939fba9337926f8b8d6bcf8dc1d82cb59d0fc12719f466927e716f5da
                                                                                                                                                                                                                  • Instruction ID: ec9b0c6d729d5c1757b5deaf5e0416c8f4a1107509482753aaef358f7b153cba
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff7ae4f939fba9337926f8b8d6bcf8dc1d82cb59d0fc12719f466927e716f5da
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1D02B324814306ACB35E11C7C04F933A9A9BC1320F058866F908B2011D515CC9386C8
                                                                                                                                                                                                                  Function 015F823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                  • Instruction ID: b009a375e04156a850f1a90c5fbf5c0ec9dc041c60317b2b31e450f6aa1ea1ea
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FE08C35000A10EFDB322E15EC10B5176A2FB54B64F20482DF1820A1A587B0A881CA48
                                                                                                                                                                                                                  Function 01602050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7aff1ce88e269500af194692ac9baf320623c51b53883bffa832a052e0a426d0
                                                                                                                                                                                                                  • Instruction ID: 8c3e8f8e4d3378a594462a60a8ea5fb41b1e4390c27e76729025292f0b77bcee
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7aff1ce88e269500af194692ac9baf320623c51b53883bffa832a052e0a426d0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDE0C2321004606BC326FB5DDD10F4B739FEFA4370F040129F151872E4CA60AC00C798
                                                                                                                                                                                                                  Function 01656AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                  • Instruction ID: bced786aa39d014f435f4e30021f911e40b1ead656afc986054779b2a40eb731
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8D05B36511A509FD3315F1BDD00C13BBF5FBC4A10705052EA54643A24C770A805CB90
                                                                                                                                                                                                                  Function 004172F2 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 272a16680ab4b3e3e80fd71b71f33dcd6f9eb41f3282ad74ee072f367affcd29
                                                                                                                                                                                                                  • Instruction ID: 51abd01f70fcbcc21c422805d8877c8e25e26643cf53601f728ac5d11f627d47
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 272a16680ab4b3e3e80fd71b71f33dcd6f9eb41f3282ad74ee072f367affcd29
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECC08C37E41005A68A088C86AC820B4F324EA97231B0022AAEE48FB5009A12D03302E9
                                                                                                                                                                                                                  Function 0163E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                  • Instruction ID: 855a01f6204f65c63ada7e84bf289af0122328eea89dcb00f2737ef83c075c27
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9D0A932214620ABD732AA1CFC00FC333E9BB88730F0A0459B019C7260C360AC81CA88
                                                                                                                                                                                                                  Function 0167E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                  • Instruction ID: f7dae29268f6ef3997a4cb7b6f0e42ab112f288ce70d582dd63a3d6e705819fe
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83E0EC369506849BDF16DF59CA40F5ABBB9BB94B40F190458A1085B760C725AD00CB40
                                                                                                                                                                                                                  Function 015FA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                  • Instruction ID: 4fe68027b70cec1058a3b925af3d1de9eede1a9b5216f0ad0e9d21967b693103
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3D0223221203093DB2856556C00F67790AFF80AA0F0A002C360E97900C1048C42C2E0
                                                                                                                                                                                                                  Function 00417D7D Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a7c9a7aa92042272aa28a202e971fd0352cf72074f090797a503a772b785495c
                                                                                                                                                                                                                  • Instruction ID: be436e95d9782d37f3ecbd870d5916668241883da261d47d4231767b9e2ade11
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7c9a7aa92042272aa28a202e971fd0352cf72074f090797a503a772b785495c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBC01222E03A14028F208E3AAC4A0ACF330EE42932B0127AACD38A78C8464685564989
                                                                                                                                                                                                                  Function 0163A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                  • Instruction ID: 80efb3f1d18dcc67079d42d06d2dc233afe99522e3de64e355435a5939a1309d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABD012371D054DBBCB119F66DC01F957BA9E764BA0F444020B505875A0D63AE950D584
                                                                                                                                                                                                                  Function 0163CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3c303e84a789a6be3e888d92c457884ba0a6876a903235948cfdfabbd01435e4
                                                                                                                                                                                                                  • Instruction ID: f164ff3508d8e217ecb277ff9533dc760dbe5be3932497ce788a78c8b978883b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c303e84a789a6be3e888d92c457884ba0a6876a903235948cfdfabbd01435e4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4D0A730902001CBDF17DF08CD14D2E36B4FB50740B40006CFB0162224E364DC12C700
                                                                                                                                                                                                                  Function 016102A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                                                  • Instruction ID: 757337ddb2d78e18ac0a41216d4313ee5f13c55429e624f24c8837cc88ce95c3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76D0C935212E80CFDA1BCB0DC9A4B5533A8BB44B44F858490F401CBB26D72CD980CA00
                                                                                                                                                                                                                  Function 0163C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                  • Instruction ID: 607f38e62a8dd108a1de713cb85147cf0055bc4d58ea828cd1f5bf729964155c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C08C33290648AFC712EF99CD01F027BAAFBA8B50F040021F3058B670D631FC20EA88
                                                                                                                                                                                                                  Function 01620310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                  • Instruction ID: 63ad1e166b7b7755e02bff5d82f13fbf04ec95d6ff61a831a57811496af19b68
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58D01236100649EFCB01DF41C890D9A772BFBD8710F108019FD19076108A31ED62DA90
                                                                                                                                                                                                                  Function 00416CC0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1418673624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1197b2bab0399f4b2c5e7ad9df8bf920544f12c191f667ab0dbb148aa47a6587
                                                                                                                                                                                                                  • Instruction ID: a621b0c66dbbe6c2d5ec5b43a226f201dd518fb6f344af150c5fb37e37e6c186
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1197b2bab0399f4b2c5e7ad9df8bf920544f12c191f667ab0dbb148aa47a6587
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EA00127E9A0180958255C497C451B8E768D2870BAD1133A7DD48B35005942C42A019D
                                                                                                                                                                                                                  Function 01600750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                  • Instruction ID: 592734e62c9afe9b33a995c934b059f2a5f840a23e8589509acc2ee067e1a95b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCC0487AB01A428FCF16DB2ADB94F49B7E5FB54750F191890E846CBB22E724E901CA10
                                                                                                                                                                                                                  Function 01644340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 7022b474f6728642faf32bf63a7103eb8825de7ed9ba2fc0589530ac10d7821e
                                                                                                                                                                                                                  • Instruction ID: 28387ca3dbd24db85260f7f87377f9a90e001a4c0cde9653cafd601b574ebd6d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7022b474f6728642faf32bf63a7103eb8825de7ed9ba2fc0589530ac10d7821e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D90023160580012928075594C845474009A7E0301F55C011F8424694DCA148A565761
                                                                                                                                                                                                                  Function 01644650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 78e95dbd90f3c82651491c6f1d2d5ffc4fc54bc7112ba1f409afb0718758fe9e
                                                                                                                                                                                                                  • Instruction ID: 7e2ebb1d623b01079a922d1d4f67ed0ded53b881a74116b441b59197b0ca4781
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78e95dbd90f3c82651491c6f1d2d5ffc4fc54bc7112ba1f409afb0718758fe9e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A90027160150042428075594C044076009A7E1301795C115B85546A0DC61889559769
                                                                                                                                                                                                                  Function 01642BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: df148bada2e44e5dc37a30e57cbc5d363be1a1fded14d887cd4c985536caee8b
                                                                                                                                                                                                                  • Instruction ID: 3bfff7756eda94c4c26835b032507bdec110525c0f69ec9b40dacf80815ed621
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df148bada2e44e5dc37a30e57cbc5d363be1a1fded14d887cd4c985536caee8b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0790023120544842D28075594804A47001997D0305F55C011B80647D4ED6258E55BB61
                                                                                                                                                                                                                  Function 01642BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 539e868108e30b01e1bac3b21f0665bfcfab553b5dbff87aa8ab254295c1de83
                                                                                                                                                                                                                  • Instruction ID: 59a5fe575fa053b4641f8e9e694498b19935c2bd9bd61e181e04500f7571c260
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 539e868108e30b01e1bac3b21f0665bfcfab553b5dbff87aa8ab254295c1de83
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E90023160540802D29075594814747000997D0301F55C011B8024794EC7558B557BA1
                                                                                                                                                                                                                  Function 01642B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d50422abdb3d88f3b492c19062b1930239a809d73b6218db44d5abd5175e10f4
                                                                                                                                                                                                                  • Instruction ID: 67dae4b7436228c9ad37f4f516a8386a17ad7d81c0fcd08859273580255962c4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d50422abdb3d88f3b492c19062b1930239a809d73b6218db44d5abd5175e10f4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6890023120140802D24475594C04687000997D0301F55C011BE024795FD66589917631
                                                                                                                                                                                                                  Function 01642AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4e828ad4fce5f02ef1414b3664f0581ed0aec4f7d99c8d19b8c6d5c945e3312a
                                                                                                                                                                                                                  • Instruction ID: 32d991d92865630095e1f3b7934bddaac8214cf807c13a30a17cb5db55a5d0e7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e828ad4fce5f02ef1414b3664f0581ed0aec4f7d99c8d19b8c6d5c945e3312a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17900235221400020285B9590A0450B0449A7D6351795C015F94166D0DC62189655721
                                                                                                                                                                                                                  Function 01642AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 054c9c0c252cfcdd8262887be035ed8412e4fb70440b61c7fb84c106e91204c0
                                                                                                                                                                                                                  • Instruction ID: 265587c132ce1ac925f782d312e1601e05b57e29096ba8c81ee17456cb99da42
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 054c9c0c252cfcdd8262887be035ed8412e4fb70440b61c7fb84c106e91204c0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF9002B1201540924640B6598804B0B450997E0201F55C016F90546A0DC52589519635
                                                                                                                                                                                                                  Function 01642D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 00a636bf7de27979cdd8118a133217c924b6785ec780520fe2132d2f27ce13b3
                                                                                                                                                                                                                  • Instruction ID: 95c273a4ccc06c2bb129c84d43454a0072c6ebbafe6862cf894eec481f4b0d47
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00a636bf7de27979cdd8118a133217c924b6785ec780520fe2132d2f27ce13b3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B190023120544442D24079595808A07000997D0205F55D011B90646D5EC6358951A631
                                                                                                                                                                                                                  Function 01642DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 254c0f9826f7638e326473cee7804e9b7e5f06ddc3c5c24f75fc9435a2b13964
                                                                                                                                                                                                                  • Instruction ID: 80515c5948e1cf7d066416036c755b3e0ac00cb04bc9a81709857275b9daad8b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 254c0f9826f7638e326473cee7804e9b7e5f06ddc3c5c24f75fc9435a2b13964
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F890023124140402D28175594804607000DA7D0241F95C012B8424694FC6558B56AF61
                                                                                                                                                                                                                  Function 01642C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 9f68ad406f174e87ff6d8edad5e9f336d4d23c7f2f18827f013fef8ccc3807f7
                                                                                                                                                                                                                  • Instruction ID: b9d1831b03d34749073e9284925a3a3f8707e9da95ef0e31e6da2b456fa7101b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f68ad406f174e87ff6d8edad5e9f336d4d23c7f2f18827f013fef8ccc3807f7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6490023120140842D24075594804B47000997E0301F55C016B8124794EC615C9517A21
                                                                                                                                                                                                                  Function 01642CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a0c4e4028d6e63b49083ceb190ecea092e4ba99602b996ff4aa26ba07ddfde6a
                                                                                                                                                                                                                  • Instruction ID: 448c29bdf3fe8c21dfc0ad8de2ded5d34ae50b7e798ca928e2294e30d0a31b03
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0c4e4028d6e63b49083ceb190ecea092e4ba99602b996ff4aa26ba07ddfde6a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B790023120140403D24075595908707000997D0201F55D411B8424698ED65689516621
                                                                                                                                                                                                                  Function 01642CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2abc1176c1b4004fed3dfbd0bdb2c0bfd36c101a3ef351416699d0e893054ba3
                                                                                                                                                                                                                  • Instruction ID: 76335d8f8ac0c212798852cb5637ce5e06bfef0858dd561744e2799e1cb8b5cb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2abc1176c1b4004fed3dfbd0bdb2c0bfd36c101a3ef351416699d0e893054ba3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1190023160540402D28075595818707001997D0201F55D011B8024694EC6598B556BA1
                                                                                                                                                                                                                  Function 01642F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 62b20a3a5f2cda5b7e1afc9fea8688effa1f7d636da836dd11c8c378ebe94877
                                                                                                                                                                                                                  • Instruction ID: 0ae23d79b589baec57e201365ffdee9b5bb77e29d02888fab32de54d127ef9fa
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62b20a3a5f2cda5b7e1afc9fea8688effa1f7d636da836dd11c8c378ebe94877
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6590027121140042D24475594804707004997E1201F55C012BA154694DC5298D615625
                                                                                                                                                                                                                  Function 01642FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0a320e4e19f3545e565c501c03a63bb66d0f0c4a9ae3548febe9b88abfb30e42
                                                                                                                                                                                                                  • Instruction ID: c935becfd6864e8a4715f1f980bac0265c836ceda2c457b460837c4b779eb253
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a320e4e19f3545e565c501c03a63bb66d0f0c4a9ae3548febe9b88abfb30e42
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE90023120180402D24075594C08747000997D0302F55C011BD164695FC665C9916A31
                                                                                                                                                                                                                  Function 01642E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: bc5b65f8971e51d4fb4329f98a84d95f69f8cb6e41eef22e54201f6bda7afbcf
                                                                                                                                                                                                                  • Instruction ID: c90719dfc3ee74070d65afb93b75bdf93f1c5164e72705bd2a32c5b43aaf187e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc5b65f8971e51d4fb4329f98a84d95f69f8cb6e41eef22e54201f6bda7afbcf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C990023130140402D24275594814607000DD7D1345F95C012F9424695EC6258A53A632
                                                                                                                                                                                                                  Function 01642EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6160b979c3b4885009a2ea7ac85569c9b9a1063375011e647933f81be29ba967
                                                                                                                                                                                                                  • Instruction ID: f96b7baf1bc41a996e32035bb78fad6a46d85bdeeec2a85d266095dc142fc824
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6160b979c3b4885009a2ea7ac85569c9b9a1063375011e647933f81be29ba967
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED90027120180403D28079594C04607000997D0302F55C011BA064695FCA298D516635
                                                                                                                                                                                                                  Function 01643010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d339a474e8bacbdaa79a1ef1b87275ec99a570bc57d0d50e23d033468703db9f
                                                                                                                                                                                                                  • Instruction ID: 1c4c3c940f182e2d504ee01650ac55d08972bfbf2729b459a4060915572c4beb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d339a474e8bacbdaa79a1ef1b87275ec99a570bc57d0d50e23d033468703db9f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A890023120184442D28076594C04B0F410997E1202F95C019BC156694DC91589555B21
                                                                                                                                                                                                                  Function 01643090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e85aea4a30502f007d9d318770a3c426a0b22b8d38ebda8d928460dc9af41200
                                                                                                                                                                                                                  • Instruction ID: b251aa434aa3d495f36bd55bfedbad069c3398660d7b118ea0f38d82b7e6f616
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e85aea4a30502f007d9d318770a3c426a0b22b8d38ebda8d928460dc9af41200
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E90023124140802D28075598814707000AD7D0601F55C011B8024694EC6168A656BB1
                                                                                                                                                                                                                  Function 016435C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 366baa7e382389027c0d9e6458481d1c7517ef43b6b42f8b12fc030a3de41da9
                                                                                                                                                                                                                  • Instruction ID: aaa2afebee003eccb3564328bb0b6298cc2570d3c003a7d4dd4d894fa6464253
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 366baa7e382389027c0d9e6458481d1c7517ef43b6b42f8b12fc030a3de41da9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D190023160550402D24075594914707100997D0201F65C411B84246A8EC7958A516AA2
                                                                                                                                                                                                                  Function 016439B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1d834569a3279a4b89f49caad27f3d16c2f8182a944096b113bf50e7e36ecce7
                                                                                                                                                                                                                  • Instruction ID: 01e68c9dbf210691565d405aa11d9d5cfb0bd915932f9f9cbf020f0d478229af
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d834569a3279a4b89f49caad27f3d16c2f8182a944096b113bf50e7e36ecce7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE90023124545102D290755D48046174009B7E0201F55C021B88146D4EC55589556721
                                                                                                                                                                                                                  Function 01643D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 1d5c94a5c9c9d6181283432a853e6098d5e4bf8d6265a30e9e474a133e72ddfb
                                                                                                                                                                                                                  • Instruction ID: aea440b34bb0d7f5a259da329cb1d584823de57e3e9bed7b0c4ba017da6bd94c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d5c94a5c9c9d6181283432a853e6098d5e4bf8d6265a30e9e474a133e72ddfb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6590023520140402D65075595C04647004A97D0301F55D411B8424698EC65489A1A621
                                                                                                                                                                                                                  Function 01643D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b1b3a807429fa84fedc7f56c49a5dd010c9020cd180cb05f16e5738fc001e271
                                                                                                                                                                                                                  • Instruction ID: 97c0b43b171c64e3f28353a9b8143179f89292078e5178b878e6c57f31799261
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1b3a807429fa84fedc7f56c49a5dd010c9020cd180cb05f16e5738fc001e271
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD90023120240142968076595C04A4F410997E1302F95D415B8015694DC91489615721
                                                                                                                                                                                                                  Function 01642C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                  • Instruction ID: 1e769e19bd22b19f2cf854ed16df0513b7759fb6484bf9428472eb54f0d2b149
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                  Function 01642890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                                                  • Opcode ID: 6bf4848ec9ab3dff4f64192e3d30041e8be147e78aefaae21f8fe2d809fe2ed5
                                                                                                                                                                                                                  • Instruction ID: b41b3baba1ed1620d0dd4b0cc66382797823777a6e1da53b9331b19c54efcc67
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bf4848ec9ab3dff4f64192e3d30041e8be147e78aefaae21f8fe2d809fe2ed5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E51E7B5A00116BFDB21DF9D9C9097EFBB8BB08240B24826DF565D7641D334DE44C7A0
                                                                                                                                                                                                                  Function 016B2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                                                  • Opcode ID: 6f48acb51c85d31d7ad67e262bfae3806c421ebc285624f8cc9aeed05f6fbab0
                                                                                                                                                                                                                  • Instruction ID: 988d6abc258e56170057a4c0352dd354e6c3e4a4171faac07031b956cc5c8e8c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f48acb51c85d31d7ad67e262bfae3806c421ebc285624f8cc9aeed05f6fbab0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6951E371A00646AEDB34DF5CCDE09BFBBF9AB44200B04886DE596D7641E778FA80C760
                                                                                                                                                                                                                  Function 01637630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01674787
                                                                                                                                                                                                                  • Execute=1, xrefs: 01674713
                                                                                                                                                                                                                  • ExecuteOptions, xrefs: 016746A0
                                                                                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01674742
                                                                                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016746FC
                                                                                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01674725
                                                                                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01674655
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                                                                                  • Opcode ID: 4525294ad0c8c7c6e58e534f68972f22ff8a70617f5e9cae6d6bd4140a48c903
                                                                                                                                                                                                                  • Instruction ID: 93f0606c80d0dc58fa4b8566a7e83e6130ca14595a3aa2a73f68dccc4abe597e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4525294ad0c8c7c6e58e534f68972f22ff8a70617f5e9cae6d6bd4140a48c903
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A512BB1A0021ABBEF11EBA8DC99FBD77B9EF55300F0400ADD605AB281DB719A41CF54
                                                                                                                                                                                                                  Function 016D6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                  • Instruction ID: 7d073eafafc324f47fa23c1b3fedb2eb31708500780387b3e6c43a66e9f6ad64
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C021671908342AFD315CF18C890A6FBBE6EFC8704F54892DFA858B264DB31E945CB56
                                                                                                                                                                                                                  Function 0164B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                  • Instruction ID: a16d365d75c20092aa1b7d931929368b81c0e796994c75f0c22eacf1b9382a26
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E818970A052599FEF29CF6CCC917FEBFA2AF45320F18425AE861A7391C734D8418B65
                                                                                                                                                                                                                  Function 016B20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                                                                                  • Opcode ID: e116c31bc475480754867aa7d355d30ff7d8cdbd83fe8dc7aae476440c8ded20
                                                                                                                                                                                                                  • Instruction ID: c3acf545fb12aa8c3dc5e5193b8f99a3118f800ba61dfc26409d26eb6351c89d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e116c31bc475480754867aa7d355d30ff7d8cdbd83fe8dc7aae476440c8ded20
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E21657AA00119ABDB10DF79DC90AEEBBF9EF54641F04011EEA05D3201E730EA568BA1
                                                                                                                                                                                                                  Function 0162F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 0167031E
                                                                                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016702BD
                                                                                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016702E7
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                                                                                  • Opcode ID: cf550b85551c6848540b038faf90c42ab5e2bb5b19c4f8c3573b1d23386ce581
                                                                                                                                                                                                                  • Instruction ID: f17d87873f481404f9be3ebb5730dcf005fa8ff64e0f4c0332b88e9458538bcc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf550b85551c6848540b038faf90c42ab5e2bb5b19c4f8c3573b1d23386ce581
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AE1C931608B529FD725CF28CC80B2ABBF1AB85324F144AADF5A58B3E1D774D845CB52
                                                                                                                                                                                                                  Function 0163BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01677B7F
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 01677BAC
                                                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 01677B8E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                                                                                  • Opcode ID: 39fade2fdfe7fdadafc2e009f2cf180ebaab07086bbc0c9a81b862aa9b5b51e0
                                                                                                                                                                                                                  • Instruction ID: 9262c25e7bdf9c65dd8220074fdf0c7cec96399ad7510396ebcacf3d661226e6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39fade2fdfe7fdadafc2e009f2cf180ebaab07086bbc0c9a81b862aa9b5b51e0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA41CF317047029FD725DE2DCC40B6AB7E6EF98720F100A2DEA5A9B780DB31E8058B95
                                                                                                                                                                                                                  Function 0163B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0167728C
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 016772C1
                                                                                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01677294
                                                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 016772A3
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                                                                                  • Opcode ID: c354f8955201d237b25018f23854a2134fbe9a35ef2a04a48113ac8f25095c9f
                                                                                                                                                                                                                  • Instruction ID: edd7bd461b42bb822cc5b0865538c487b4382787cc19a47632461b4894399dd4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c354f8955201d237b25018f23854a2134fbe9a35ef2a04a48113ac8f25095c9f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E410031701206ABCB21DE29CC45F6AB7A6FF94720F10461DFD65EB381DB20E8428BD5
                                                                                                                                                                                                                  Function 016B2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                                                                                  • Opcode ID: 2dda7535fc97e8a1e309fb4469e092c97dabbb286426457ff1036a5b689652c4
                                                                                                                                                                                                                  • Instruction ID: 16da2299e6c445835af1c5fa3d3f2777c5591fe7939abaa0bc5d15ca5b6a2910
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dda7535fc97e8a1e309fb4469e092c97dabbb286426457ff1036a5b689652c4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0318672A112199FDB60DF2DCC90BEE77F8FB44610F44055DE949E3200EB30EA958BA0
                                                                                                                                                                                                                  Function 01647D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                                                  • String ID: +$-
                                                                                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                  • Instruction ID: 774956a599341dd31827a928b5a360f01f1844ad05e4982b52b353f3b317252c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B791BF71E0021A9BEB64DF6DCC80ABEBBA6FF44720F54461AE955E73C0E7309941CB61
                                                                                                                                                                                                                  Function 01609126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000004.00000002.1419367496.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: true
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_15d0000_Ot7EdLwo881ajbV.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $$@
                                                                                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                                                                                  • Opcode ID: 5d4fd70cdf0d142c0e2e5122985f4ef6561e06ff8e0ccd9658ee77da2cc3d6f6
                                                                                                                                                                                                                  • Instruction ID: 7818b81f8070b356a9cd3806fffe2442933ca67722fab10123b27954c856a591
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d4fd70cdf0d142c0e2e5122985f4ef6561e06ff8e0ccd9658ee77da2cc3d6f6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05812A71D012699BDB35CB54CC54BEAB7B9AB08714F0441EAEA0DB7280D7309E85CFA4

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:1.5%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:420
                                                                                                                                                                                                                  Total number of Limit Nodes:15
                                                                                                                                                                                                                  execution_graph 13827 1169b22a 13828 1169b25e 13827->13828 13829 1169a8c2 ObtainUserAgentString 13828->13829 13830 1169b26b 13829->13830 13936 116a1aa9 13937 116a1aaf 13936->13937 13940 1169c212 13937->13940 13939 116a1ac7 13941 1169c237 13940->13941 13942 1169c21b 13940->13942 13941->13939 13942->13941 13943 1169c0c2 2 API calls 13942->13943 13943->13941 13563 116a0bac 13564 116a0bb1 13563->13564 13597 116a0bb6 13564->13597 13598 11696b72 13564->13598 13566 116a0c2c 13567 116a0c85 13566->13567 13568 116a0c69 13566->13568 13569 116a0c54 13566->13569 13566->13597 13570 1169eab2 NtProtectVirtualMemory 13567->13570 13573 116a0c6e 13568->13573 13574 116a0c80 13568->13574 13572 1169eab2 NtProtectVirtualMemory 13569->13572 13571 116a0c8d 13570->13571 13634 11698102 13571->13634 13576 116a0c5c 13572->13576 13577 1169eab2 NtProtectVirtualMemory 13573->13577 13574->13567 13578 116a0c97 13574->13578 13620 11697ee2 13576->13620 13582 116a0c76 13577->13582 13579 116a0cbe 13578->13579 13580 116a0c9c 13578->13580 13584 116a0cd9 13579->13584 13585 116a0cc7 13579->13585 13579->13597 13602 1169eab2 13580->13602 13626 11697fc2 13582->13626 13589 1169eab2 NtProtectVirtualMemory 13584->13589 13584->13597 13586 1169eab2 NtProtectVirtualMemory 13585->13586 13588 116a0ccf 13586->13588 13644 116982f2 13588->13644 13592 116a0ce5 13589->13592 13662 11698712 13592->13662 13600 11696b93 13598->13600 13599 11696cce 13599->13566 13600->13599 13601 11696cb5 CreateMutexExW 13600->13601 13601->13599 13604 1169eadf 13602->13604 13603 1169eebc 13612 11697de2 13603->13612 13604->13603 13674 116948f2 13604->13674 13606 1169ee5c 13607 116948f2 NtProtectVirtualMemory 13606->13607 13608 1169ee7c 13607->13608 13609 116948f2 NtProtectVirtualMemory 13608->13609 13610 1169ee9c 13609->13610 13611 116948f2 NtProtectVirtualMemory 13610->13611 13611->13603 13613 11697df0 13612->13613 13615 11697ecd 13613->13615 13699 1169b382 13613->13699 13616 11694412 13615->13616 13617 11694440 13616->13617 13618 11694473 13617->13618 13619 1169444d CreateThread 13617->13619 13618->13597 13619->13597 13622 11697f06 13620->13622 13621 11697fa4 13621->13597 13622->13621 13623 116948f2 NtProtectVirtualMemory 13622->13623 13624 11697f9c 13623->13624 13625 1169b382 ObtainUserAgentString 13624->13625 13625->13621 13628 11698016 13626->13628 13627 116980f0 13627->13597 13628->13627 13631 116948f2 NtProtectVirtualMemory 13628->13631 13632 116980bb 13628->13632 13629 116980e8 13630 1169b382 ObtainUserAgentString 13629->13630 13630->13627 13631->13632 13632->13629 13633 116948f2 NtProtectVirtualMemory 13632->13633 13633->13629 13636 11698137 13634->13636 13635 116982d5 13635->13597 13636->13635 13637 116948f2 NtProtectVirtualMemory 13636->13637 13638 1169828a 13637->13638 13639 116948f2 NtProtectVirtualMemory 13638->13639 13642 116982a9 13639->13642 13640 116982cd 13641 1169b382 ObtainUserAgentString 13640->13641 13641->13635 13642->13640 13643 116948f2 NtProtectVirtualMemory 13642->13643 13643->13640 13645 11698349 13644->13645 13646 1169849f 13645->13646 13648 116948f2 NtProtectVirtualMemory 13645->13648 13647 116948f2 NtProtectVirtualMemory 13646->13647 13651 116984c3 13646->13651 13647->13651 13649 11698480 13648->13649 13650 116948f2 NtProtectVirtualMemory 13649->13650 13650->13646 13652 116948f2 NtProtectVirtualMemory 13651->13652 13653 11698597 13651->13653 13652->13653 13654 116948f2 NtProtectVirtualMemory 13653->13654 13656 116985bf 13653->13656 13654->13656 13655 116986e1 13657 1169b382 ObtainUserAgentString 13655->13657 13659 116948f2 NtProtectVirtualMemory 13656->13659 13660 116986b9 13656->13660 13658 116986e9 13657->13658 13658->13597 13659->13660 13660->13655 13661 116948f2 NtProtectVirtualMemory 13660->13661 13661->13655 13664 11698767 13662->13664 13663 11698903 13670 116948f2 NtProtectVirtualMemory 13663->13670 13671 11698992 13663->13671 13664->13663 13665 116948f2 NtProtectVirtualMemory 13664->13665 13666 116988e3 13665->13666 13667 116948f2 NtProtectVirtualMemory 13666->13667 13667->13663 13668 116989b7 13669 1169b382 ObtainUserAgentString 13668->13669 13672 116989bf 13669->13672 13670->13671 13671->13668 13673 116948f2 NtProtectVirtualMemory 13671->13673 13672->13597 13673->13668 13675 11694987 13674->13675 13680 116949b2 13675->13680 13689 11695622 13675->13689 13677 11694c0c 13677->13606 13678 11694ba2 13679 116a0e12 NtProtectVirtualMemory 13678->13679 13688 11694b5b 13679->13688 13680->13677 13680->13678 13681 11694ac5 13680->13681 13693 116a0e12 13681->13693 13683 116a0e12 NtProtectVirtualMemory 13683->13677 13684 11694ae3 13684->13677 13685 11694b3d 13684->13685 13686 116a0e12 NtProtectVirtualMemory 13684->13686 13687 116a0e12 NtProtectVirtualMemory 13685->13687 13686->13685 13687->13688 13688->13677 13688->13683 13691 1169567a 13689->13691 13690 1169567e 13690->13680 13691->13690 13692 116a0e12 NtProtectVirtualMemory 13691->13692 13692->13691 13694 116a0e45 NtProtectVirtualMemory 13693->13694 13697 1169f942 13693->13697 13696 116a0e70 13694->13696 13696->13684 13698 1169f967 13697->13698 13698->13694 13700 1169b3c7 13699->13700 13703 1169b232 13700->13703 13702 1169b438 13702->13615 13704 1169b25e 13703->13704 13707 1169a8c2 13704->13707 13706 1169b26b 13706->13702 13709 1169a934 13707->13709 13708 1169a9a6 13708->13706 13709->13708 13710 1169a995 ObtainUserAgentString 13709->13710 13710->13708 13831 1169542e 13832 1169545b 13831->13832 13840 116954c9 13831->13840 13833 1169f232 NtCreateFile 13832->13833 13832->13840 13834 11695496 13833->13834 13835 11695082 NtCreateFile 13834->13835 13839 116954c5 13834->13839 13837 116954b6 13835->13837 13836 1169f232 NtCreateFile 13836->13840 13838 11694f52 NtCreateFile 13837->13838 13837->13839 13838->13839 13839->13836 13839->13840 13864 11699ce2 13866 11699dd9 13864->13866 13865 1169a022 13866->13865 13870 11699352 13866->13870 13868 11699f0d 13868->13865 13879 11699792 13868->13879 13871 1169939e 13870->13871 13872 116994ec 13871->13872 13874 11699595 13871->13874 13878 1169958e 13871->13878 13873 1169f232 NtCreateFile 13872->13873 13876 116994ff 13873->13876 13875 1169f232 NtCreateFile 13874->13875 13874->13878 13875->13878 13877 1169f232 NtCreateFile 13876->13877 13876->13878 13877->13878 13878->13868 13880 116997e0 13879->13880 13881 1169f232 NtCreateFile 13880->13881 13884 1169990c 13881->13884 13882 11699af3 13882->13868 13883 11699352 NtCreateFile 13883->13884 13884->13882 13884->13883 13885 11699602 NtCreateFile 13884->13885 13885->13884 13886 1169c2e4 13887 1169c36f 13886->13887 13888 1169c305 13886->13888 13888->13887 13889 1169c0c2 2 API calls 13888->13889 13889->13887 13729 11696b66 13731 11696b6a 13729->13731 13730 11696cce 13731->13730 13732 11696cb5 CreateMutexExW 13731->13732 13732->13730 13944 1169c0b9 13945 1169c0ed 13944->13945 13947 1169c1f0 13944->13947 13946 1169ff82 2 API calls 13945->13946 13945->13947 13946->13947 13890 116980fb 13892 11698137 13890->13892 13891 116982d5 13892->13891 13893 116948f2 NtProtectVirtualMemory 13892->13893 13894 1169828a 13893->13894 13895 116948f2 NtProtectVirtualMemory 13894->13895 13898 116982a9 13895->13898 13896 116982cd 13897 1169b382 ObtainUserAgentString 13896->13897 13897->13891 13898->13896 13899 116948f2 NtProtectVirtualMemory 13898->13899 13899->13896 13733 1169ff7a 13734 1169ffb8 13733->13734 13735 1169c5b2 socket 13734->13735 13736 116a0081 13734->13736 13738 116a0022 13734->13738 13735->13736 13737 116a0117 getaddrinfo 13736->13737 13736->13738 13737->13738 13841 1169e83a 13842 1169e841 13841->13842 13843 1169ff82 2 API calls 13842->13843 13845 1169e8c5 13843->13845 13844 1169e906 13845->13844 13846 1169f232 NtCreateFile 13845->13846 13846->13844 13794 11697fbf 13798 11698016 13794->13798 13795 116980f0 13796 116980e8 13797 1169b382 ObtainUserAgentString 13796->13797 13797->13795 13798->13795 13799 116948f2 NtProtectVirtualMemory 13798->13799 13800 116980bb 13798->13800 13799->13800 13800->13796 13801 116948f2 NtProtectVirtualMemory 13800->13801 13801->13796 13948 1169a8be 13950 1169a8c3 13948->13950 13949 1169a9a6 13950->13949 13951 1169a995 ObtainUserAgentString 13950->13951 13951->13949 13759 116955f1 13760 1169560e 13759->13760 13761 11695606 13759->13761 13763 1169a662 13761->13763 13764 1169a66b 13763->13764 13772 1169a7ba 13763->13772 13765 116940f2 2 API calls 13764->13765 13764->13772 13767 1169a6ee 13765->13767 13766 1169a750 13769 1169a83f 13766->13769 13771 1169a791 13766->13771 13766->13772 13767->13766 13768 1169ff82 2 API calls 13767->13768 13768->13766 13770 1169ff82 2 API calls 13769->13770 13769->13772 13770->13772 13771->13772 13773 1169ff82 2 API calls 13771->13773 13772->13760 13773->13772 13900 116940f1 13901 11694109 13900->13901 13902 116941d3 13900->13902 13903 11694012 2 API calls 13901->13903 13904 11694113 13903->13904 13904->13902 13905 1169ff82 2 API calls 13904->13905 13905->13902 13802 116a19b3 13803 116a19bd 13802->13803 13806 116966d2 13803->13806 13805 116a19e0 13807 11696704 13806->13807 13808 116966f7 13806->13808 13810 116966ff 13807->13810 13811 1169672d 13807->13811 13813 11696737 13807->13813 13809 116940f2 2 API calls 13808->13809 13809->13810 13810->13805 13815 1169c2c2 13811->13815 13813->13810 13814 1169ff82 2 API calls 13813->13814 13814->13810 13816 1169c2cb 13815->13816 13817 1169c2df 13815->13817 13816->13817 13818 1169c0c2 2 API calls 13816->13818 13817->13810 13818->13817 13721 1169f232 13722 1169f25c 13721->13722 13724 1169f334 13721->13724 13723 1169f410 NtCreateFile 13722->13723 13722->13724 13723->13724 13774 116a19f1 13775 116a19f7 13774->13775 13778 11696852 13775->13778 13777 116a1a0f 13779 11696865 13778->13779 13780 116968e4 13778->13780 13779->13780 13781 1169687e 13779->13781 13783 11696887 13779->13783 13780->13777 13782 1169c36f 13781->13782 13786 1169c0c2 13781->13786 13782->13777 13783->13780 13784 1169a662 2 API calls 13783->13784 13784->13780 13787 1169c0cb 13786->13787 13789 1169c1f0 13786->13789 13788 1169ff82 2 API calls 13787->13788 13787->13789 13788->13789 13789->13782 13906 116982f4 13907 11698349 13906->13907 13908 1169849f 13907->13908 13910 116948f2 NtProtectVirtualMemory 13907->13910 13909 116948f2 NtProtectVirtualMemory 13908->13909 13913 116984c3 13908->13913 13909->13913 13911 11698480 13910->13911 13912 116948f2 NtProtectVirtualMemory 13911->13912 13912->13908 13914 116948f2 NtProtectVirtualMemory 13913->13914 13915 11698597 13913->13915 13914->13915 13916 116948f2 NtProtectVirtualMemory 13915->13916 13918 116985bf 13915->13918 13916->13918 13917 116986e1 13919 1169b382 ObtainUserAgentString 13917->13919 13921 116948f2 NtProtectVirtualMemory 13918->13921 13922 116986b9 13918->13922 13920 116986e9 13919->13920 13921->13922 13922->13917 13923 116948f2 NtProtectVirtualMemory 13922->13923 13923->13917 13847 116a0e0a 13848 1169f942 13847->13848 13849 116a0e45 NtProtectVirtualMemory 13848->13849 13850 116a0e70 13849->13850 13743 1169914a 13744 11699153 13743->13744 13749 11699174 13743->13749 13746 1169b382 ObtainUserAgentString 13744->13746 13745 116991e7 13747 1169916c 13746->13747 13748 116940f2 2 API calls 13747->13748 13748->13749 13749->13745 13751 116941f2 13749->13751 13752 1169420f 13751->13752 13756 116942c9 13751->13756 13753 1169ef12 3 API calls 13752->13753 13755 11694242 13752->13755 13753->13755 13754 11694289 13754->13756 13757 116940f2 2 API calls 13754->13757 13755->13754 13758 11695432 NtCreateFile 13755->13758 13756->13749 13757->13756 13758->13754 13819 116a1a4d 13820 116a1a53 13819->13820 13823 11695782 13820->13823 13822 116a1a6b 13824 1169578f 13823->13824 13825 116957ad 13824->13825 13826 1169a662 2 API calls 13824->13826 13825->13822 13826->13825 13715 1169ff82 13716 1169ffb8 13715->13716 13717 1169c5b2 socket 13716->13717 13718 116a0081 13716->13718 13720 116a0022 13716->13720 13717->13718 13719 116a0117 getaddrinfo 13718->13719 13718->13720 13719->13720 13790 11697dd9 13792 11697df0 13790->13792 13791 11697ecd 13792->13791 13793 1169b382 ObtainUserAgentString 13792->13793 13793->13791 13484 116942dd 13485 1169431a 13484->13485 13486 116943fa 13485->13486 13487 11694328 SleepEx 13485->13487 13491 1169ef12 13485->13491 13500 11695432 13485->13500 13510 116940f2 13485->13510 13487->13485 13487->13487 13492 1169ef48 13491->13492 13493 1169f0e9 13492->13493 13498 1169f134 13492->13498 13499 1169f232 NtCreateFile 13492->13499 13516 1169ff82 13492->13516 13494 1169f125 13493->13494 13522 1169e842 13493->13522 13530 1169e922 13494->13530 13498->13485 13499->13492 13501 1169545b 13500->13501 13509 116954c9 13500->13509 13502 1169f232 NtCreateFile 13501->13502 13501->13509 13503 11695496 13502->13503 13508 116954c5 13503->13508 13545 11695082 13503->13545 13505 1169f232 NtCreateFile 13505->13509 13506 116954b6 13506->13508 13554 11694f52 13506->13554 13508->13505 13508->13509 13509->13485 13511 11694109 13510->13511 13515 116941d3 13510->13515 13559 11694012 13511->13559 13513 11694113 13514 1169ff82 2 API calls 13513->13514 13513->13515 13514->13515 13515->13485 13517 1169ffb8 13516->13517 13519 116a0081 13517->13519 13521 116a0022 13517->13521 13538 1169c5b2 13517->13538 13520 116a0117 getaddrinfo 13519->13520 13519->13521 13520->13521 13521->13492 13523 1169e86d 13522->13523 13541 1169f232 13523->13541 13525 1169e906 13525->13493 13526 1169e888 13526->13525 13527 1169ff82 2 API calls 13526->13527 13528 1169e8c5 13526->13528 13527->13528 13528->13525 13529 1169f232 NtCreateFile 13528->13529 13529->13525 13531 1169e9c2 13530->13531 13532 1169f232 NtCreateFile 13531->13532 13534 1169e9d6 13532->13534 13533 1169ea9f 13533->13498 13534->13533 13535 1169ea5d 13534->13535 13537 1169ff82 2 API calls 13534->13537 13535->13533 13536 1169f232 NtCreateFile 13535->13536 13536->13533 13537->13535 13539 1169c60a socket 13538->13539 13540 1169c5ec 13538->13540 13539->13519 13540->13539 13542 1169f25c 13541->13542 13544 1169f334 13541->13544 13543 1169f410 NtCreateFile 13542->13543 13542->13544 13543->13544 13544->13526 13546 11695420 13545->13546 13547 116950aa 13545->13547 13546->13506 13547->13546 13548 1169f232 NtCreateFile 13547->13548 13550 116951f9 13548->13550 13549 116953df 13549->13506 13550->13549 13551 1169f232 NtCreateFile 13550->13551 13552 116953c9 13551->13552 13553 1169f232 NtCreateFile 13552->13553 13553->13549 13555 11694f70 13554->13555 13556 11694f84 13554->13556 13555->13508 13557 1169f232 NtCreateFile 13556->13557 13558 11695046 13557->13558 13558->13508 13561 11694031 13559->13561 13560 116940cd 13560->13513 13561->13560 13562 1169ff82 2 API calls 13561->13562 13562->13560 13924 11697edd 13926 11697f06 13924->13926 13925 11697fa4 13926->13925 13927 116948f2 NtProtectVirtualMemory 13926->13927 13928 11697f9c 13927->13928 13929 1169b382 ObtainUserAgentString 13928->13929 13929->13925 13851 116a1a1f 13852 116a1a25 13851->13852 13855 116955f2 13852->13855 13854 116a1a3d 13856 116955fb 13855->13856 13857 1169560e 13855->13857 13856->13857 13858 1169a662 2 API calls 13856->13858 13857->13854 13858->13857 13711 116a0e12 13712 116a0e45 NtProtectVirtualMemory 13711->13712 13713 1169f942 13711->13713 13714 116a0e70 13712->13714 13713->13712 13859 11695613 13860 11695620 13859->13860 13861 1169567e 13860->13861 13862 1169574b 13860->13862 13863 116a0e12 NtProtectVirtualMemory 13860->13863 13863->13860 13930 11699cd4 13932 11699cd8 13930->13932 13931 1169a022 13932->13931 13933 11699352 NtCreateFile 13932->13933 13934 11699f0d 13933->13934 13934->13931 13935 11699792 NtCreateFile 13934->13935 13935->13934

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 1169F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 295 1169f232-1169f256 296 1169f8bd-1169f8cd 295->296 297 1169f25c-1169f260 295->297 297->296 298 1169f266-1169f2a0 297->298 299 1169f2bf 298->299 300 1169f2a2-1169f2a6 298->300 301 1169f2c6 299->301 300->299 302 1169f2a8-1169f2ac 300->302 303 1169f2cb-1169f2cf 301->303 304 1169f2ae-1169f2b2 302->304 305 1169f2b4-1169f2b8 302->305 307 1169f2f9-1169f30b 303->307 308 1169f2d1-1169f2f7 call 1169f942 303->308 304->301 305->303 306 1169f2ba-1169f2bd 305->306 306->303 312 1169f378 307->312 313 1169f30d-1169f332 307->313 308->307 308->312 314 1169f37a-1169f3a0 312->314 315 1169f3a1-1169f3a8 313->315 316 1169f334-1169f33b 313->316 317 1169f3aa-1169f3d3 call 1169f942 315->317 318 1169f3d5-1169f3dc 315->318 319 1169f33d-1169f360 call 1169f942 316->319 320 1169f366-1169f370 316->320 317->312 317->318 323 1169f3de-1169f40a call 1169f942 318->323 324 1169f410-1169f458 NtCreateFile call 1169f172 318->324 319->320 320->312 321 1169f372-1169f373 320->321 321->312 323->312 323->324 331 1169f45d-1169f45f 324->331 331->312 332 1169f465-1169f46d 331->332 332->312 333 1169f473-1169f476 332->333 334 1169f478-1169f481 333->334 335 1169f486-1169f48d 333->335 334->314 336 1169f48f-1169f4b8 call 1169f942 335->336 337 1169f4c2-1169f4ec 335->337 336->312 342 1169f4be-1169f4bf 336->342 343 1169f8ae-1169f8b8 337->343 344 1169f4f2-1169f4f5 337->344 342->337 343->312 345 1169f4fb-1169f4fe 344->345 346 1169f604-1169f611 344->346 348 1169f55e-1169f561 345->348 349 1169f500-1169f507 345->349 346->314 353 1169f567-1169f572 348->353 354 1169f616-1169f619 348->354 350 1169f509-1169f532 call 1169f942 349->350 351 1169f538-1169f559 349->351 350->312 350->351 358 1169f5e9-1169f5fa 351->358 359 1169f5a3-1169f5a6 353->359 360 1169f574-1169f59d call 1169f942 353->360 356 1169f6b8-1169f6bb 354->356 357 1169f61f-1169f626 354->357 366 1169f739-1169f73c 356->366 367 1169f6bd-1169f6c4 356->367 362 1169f628-1169f651 call 1169f942 357->362 363 1169f657-1169f66b call 116a0e92 357->363 358->346 359->312 365 1169f5ac-1169f5b6 359->365 360->312 360->359 362->312 362->363 363->312 386 1169f671-1169f6b3 363->386 365->312 375 1169f5bc-1169f5e6 365->375 372 1169f742-1169f749 366->372 373 1169f7c4-1169f7c7 366->373 368 1169f6f5-1169f734 367->368 369 1169f6c6-1169f6ef call 1169f942 367->369 391 1169f894-1169f8a9 368->391 369->343 369->368 379 1169f74b-1169f774 call 1169f942 372->379 380 1169f77a-1169f7bf 372->380 373->312 381 1169f7cd-1169f7d4 373->381 375->358 379->343 379->380 380->391 382 1169f7fc-1169f803 381->382 383 1169f7d6-1169f7f6 call 1169f942 381->383 389 1169f82b-1169f835 382->389 390 1169f805-1169f825 call 1169f942 382->390 383->382 386->314 389->343 396 1169f837-1169f83e 389->396 390->389 391->314 396->343 399 1169f840-1169f886 396->399 399->391
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID: `
                                                                                                                                                                                                                  • API String ID: 823142352-2679148245
                                                                                                                                                                                                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                  • Instruction ID: 6513642946f7df9a2ce7d4f6aff1f5ef428669a8580b74cb17a19262f4ca04a7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47226B70A18A0D9FDB49DF28C4846AAFBE1FB58305F52426ED45ED7250DB31E451CB82
                                                                                                                                                                                                                  Function 116A0E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 434 116a0e12-116a0e38 435 116a0e45-116a0e6e NtProtectVirtualMemory 434->435 436 116a0e40 call 1169f942 434->436 437 116a0e7d-116a0e8f 435->437 438 116a0e70-116a0e7c 435->438 436->435
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 116A0E67
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                  • Instruction ID: 64500acfdbe83bdea1fb00b2234e35281fc1059af32c1c5366fdedaacbd73932
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1301B134628B884F8788EF6CE48022AB7E4FBDD314F000B3EE99AC3250EB70C5418742
                                                                                                                                                                                                                  Function 116A0E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 439 116a0e0a-116a0e6e call 1169f942 NtProtectVirtualMemory 442 116a0e7d-116a0e8f 439->442 443 116a0e70-116a0e7c 439->443
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 116A0E67
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                  • Instruction ID: cf44987073261088b2062a3675c8b38254da660e80967cd5a0c8a10e2471da31
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B01A234628B884F8748EF2C94412A6B7E5FBCE314F000B7EE99AC3241DB21D5028782
                                                                                                                                                                                                                  Function 1169FF82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 0 1169ff82-1169ffb6 1 1169ffb8-1169ffbc 0->1 2 1169ffd6-1169ffd9 0->2 1->2 5 1169ffbe-1169ffc2 1->5 3 116a08fe-116a090c 2->3 4 1169ffdf-1169ffed 2->4 6 1169fff3-1169fff7 4->6 7 116a08f6-116a08f7 4->7 5->2 8 1169ffc4-1169ffc8 5->8 9 1169fff9-1169fffd 6->9 10 1169ffff-116a0000 6->10 7->3 8->2 11 1169ffca-1169ffce 8->11 9->10 12 116a000a-116a0010 9->12 10->12 11->2 13 1169ffd0-1169ffd4 11->13 14 116a003a-116a0060 12->14 15 116a0012-116a0020 12->15 13->2 13->4 16 116a0068-116a007c call 1169c5b2 14->16 17 116a0062-116a0066 14->17 15->14 18 116a0022-116a0026 15->18 22 116a0081-116a00a2 16->22 17->16 19 116a00a8-116a00ab 17->19 18->7 21 116a002c-116a0035 18->21 23 116a00b1-116a00b8 19->23 24 116a0144-116a0150 19->24 21->7 22->19 25 116a08ee-116a08ef 22->25 27 116a00ba-116a00dc call 1169f942 23->27 28 116a00e2-116a00f5 23->28 24->25 26 116a0156-116a0165 24->26 25->7 29 116a017f-116a018f 26->29 30 116a0167-116a0178 call 1169c552 26->30 27->28 28->25 32 116a00fb-116a0101 28->32 34 116a0191-116a01da call 1169c732 29->34 35 116a01e5-116a021b 29->35 30->29 32->25 37 116a0107-116a0109 32->37 34->35 49 116a01dc-116a01e1 34->49 40 116a022d-116a0231 35->40 41 116a021d-116a022b 35->41 37->25 42 116a010f-116a0111 37->42 45 116a0233-116a0245 40->45 46 116a0247-116a024b 40->46 44 116a027f-116a0280 41->44 42->25 47 116a0117-116a0132 getaddrinfo 42->47 48 116a0283-116a02e0 call 116a0d62 call 1169d482 call 1169ce72 call 116a1002 44->48 45->44 50 116a024d-116a025f 46->50 51 116a0261-116a0265 46->51 47->24 52 116a0134-116a013c 47->52 63 116a02e2-116a02e6 48->63 64 116a02f4-116a0354 call 116a0d92 48->64 49->35 50->44 53 116a026d-116a0279 51->53 54 116a0267-116a026b 51->54 52->24 53->44 54->48 54->53 63->64 66 116a02e8-116a02ef call 1169d042 63->66 69 116a035a-116a0396 call 116a0d62 call 116a1262 call 116a1002 64->69 70 116a048c-116a04b8 call 116a0d62 call 116a1262 64->70 66->64 85 116a03bb-116a03e9 call 116a1262 * 2 69->85 86 116a0398-116a03b7 call 116a1262 call 116a1002 69->86 79 116a04ba-116a04d5 70->79 80 116a04d9-116a0590 call 116a1262 * 3 call 116a1002 * 2 call 1169d482 70->80 79->80 112 116a0595-116a05b9 call 116a1262 80->112 101 116a03eb-116a0410 call 116a1002 call 116a1262 85->101 102 116a0415-116a041d 85->102 86->85 101->102 105 116a041f-116a0425 102->105 106 116a0442-116a0448 102->106 109 116a0467-116a0487 call 116a1262 105->109 110 116a0427-116a043d 105->110 111 116a044e-116a0456 106->111 106->112 109->112 110->112 111->112 116 116a045c-116a045d 111->116 121 116a05bb-116a05cc call 116a1262 call 116a1002 112->121 122 116a05d1-116a06ad call 116a1262 * 7 call 116a1002 call 116a0d62 call 116a1002 call 1169ce72 call 1169d042 112->122 116->109 133 116a06af-116a06b3 121->133 122->133 135 116a06ff-116a072d call 1169c6b2 133->135 136 116a06b5-116a06fa call 1169c382 call 1169c7b2 133->136 143 116a072f-116a0735 135->143 144 116a075d-116a0761 135->144 158 116a08e6-116a08e7 136->158 143->144 147 116a0737-116a074c 143->147 148 116a090d-116a0913 144->148 149 116a0767-116a076b 144->149 147->144 152 116a074e-116a0754 147->152 153 116a0779-116a0784 148->153 154 116a0919-116a0920 148->154 155 116a08aa-116a08df call 1169c7b2 149->155 156 116a0771-116a0773 149->156 152->144 160 116a0756 152->160 161 116a0786-116a0793 153->161 162 116a0795-116a0796 153->162 154->161 155->158 156->153 156->155 158->25 160->144 161->162 165 116a079c-116a07a0 161->165 162->165 167 116a07a2-116a07af 165->167 168 116a07b1-116a07b2 165->168 167->168 170 116a07b8-116a07c4 167->170 168->170 172 116a07c6-116a07ef call 116a0d92 call 116a0d62 170->172 173 116a07f4-116a0861 170->173 172->173 185 116a08a3-116a08a4 173->185 186 116a0863 173->186 185->155 186->185 188 116a0865-116a086a 186->188 188->185 190 116a086c-116a0872 188->190 190->185 192 116a0874-116a08a1 190->192 192->185 192->186
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: getaddrinfo
                                                                                                                                                                                                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                                                  • API String ID: 300660673-1117930895
                                                                                                                                                                                                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                  • Instruction ID: 53f62caacb0d34f01baed5ef41bfb98ca5622371c79de85764ad874414ba2845
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06528B30618A498FDB19EF68D4847EAB7E2FB54304F50462EC4AFC7146EF31A949CB85
                                                                                                                                                                                                                  Function 1169A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 1169A9A0
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                  • Instruction ID: 5a9e0ab9ba9ebce2f72c51a2b3da980ecad25bf35e27d9b1e2ff5b8a8857242d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A831DF31614A4D8FCB04EFA8D8847EEBBE1FB58209F40022AD45ED7240DF799A45C789
                                                                                                                                                                                                                  Function 1169A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 1169A9A0
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                  • Instruction ID: 66e682bd0c6a82b28b44fb60452df40c9f9b0bb1323f3ef89d9dda973aca84de
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6212331A10A4D8FCF04EFA8C8847EDBBE1FF58208F40422AD45AD7240DF759A04CB89
                                                                                                                                                                                                                  Function 11696B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 234 11696b66-11696b68 235 11696b6a-11696b6b 234->235 236 11696b93-11696bb8 234->236 237 11696b6d-11696b71 235->237 238 11696bbe-11696c22 call 1169d612 call 1169f942 * 2 235->238 239 11696bbb-11696bbc 236->239 237->239 240 11696b73-11696b92 237->240 248 11696c28-11696c2b 238->248 249 11696cdc 238->249 239->238 240->236 248->249 250 11696c31-11696cb0 call 116a1da4 call 116a1022 call 116a13e2 call 116a1022 call 116a13e2 248->250 251 11696cde-11696cf6 249->251 263 11696cb5-11696cca CreateMutexExW 250->263 264 11696cce-11696cd3 263->264 264->249 265 11696cd5-11696cda 264->265 265->251
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                  • Instruction ID: a9f1f81a5dc14d5fdf3c0d7bec98cb4618521e4000527faa84dfa2e267bbadcf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8415A74918A0CCFDB84EFA8C8D47AD7BE1FB68304F00417AD84ADB255EE319945CB85
                                                                                                                                                                                                                  Function 11696B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                  • Instruction ID: 57fc6e62367cc4420a263857eb71b35d6d576ad73bddec9c3477e78784022c45
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A413774918A0CCFDB84EFA8C898BAD77E1FB68304F04417AD84EDB255DE309A45CB85
                                                                                                                                                                                                                  Function 1169C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 403 1169c5b2-1169c5ea 404 1169c60a-1169c62b socket 403->404 405 1169c5ec-1169c604 call 1169f942 403->405 405->404
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: socket
                                                                                                                                                                                                                  • String ID: sock
                                                                                                                                                                                                                  • API String ID: 98920635-2415254727
                                                                                                                                                                                                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                  • Instruction ID: d62754e9ace166664e8830daba328b8cfa1cbecb6a8a2f886277be68e6b895a8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B014F70618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE85EDB266C7B0D981CB86
                                                                                                                                                                                                                  Function 116942DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 408 116942dd-11694320 call 1169f942 411 116943fa-1169440e 408->411 412 11694326 408->412 413 11694328-11694339 SleepEx 412->413 413->413 414 1169433b-11694341 413->414 415 1169434b-11694352 414->415 416 11694343-11694349 414->416 418 11694370-11694376 415->418 419 11694354-1169435a 415->419 416->415 417 1169435c-1169436a call 1169ef12 416->417 417->418 421 11694378-1169437e 418->421 422 116943b7-116943bd 418->422 419->417 419->418 421->422 423 11694380-1169438a 421->423 424 116943bf-116943cf call 11694e72 422->424 425 116943d4-116943db 422->425 423->422 427 1169438c-116943b1 call 11695432 423->427 424->425 425->413 429 116943e1-116943f5 call 116940f2 425->429 427->422 429->413
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                  • Instruction ID: b9f8ddbc2650d143dba0fd9f7db8eeb6e4213beaebe20efc4b2e4bb161fcf336
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07316874619B4EDFDB589F6A81882A5B7A1FB54305F44427FC92DCB206CB32A460CFD2
                                                                                                                                                                                                                  Function 11694412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 444 11694412-11694446 call 1169f942 447 11694448-11694472 call 116a1c9e CreateThread 444->447 448 11694473-1169447d 444->448
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3783356068.00000000115F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_115f0000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                  • Instruction ID: 2f5a6d050a34e575983281e857a0e68fe55d9baae46c0feeb39b98f0245b9edc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23F0F634268A4D4FD788EF2CD44563AF7D0FBE8214F41063EA54DC3264DA39D5828716

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 10651D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                  • Instruction ID: 2ab23c5871223b10d1874107aa8d3ed69d8540048bdbb3a58150a212f22064b1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FE15874628F488FC7A4DF68C4857ABB7E0FB58300F504A2EA5ABC7255DF30A545CB89
                                                                                                                                                                                                                  Function 10654792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                  • Instruction ID: cb43f3ee4537cc5da7b45b96ae6d7911cb819b531ac18c120b8259b8d0cfcd84
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5B18E30618B488EDB59DF68C486AEEB7F1FF58340F50461EE49AC7251EF70A509CB86
                                                                                                                                                                                                                  Function 10652622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                  • Instruction ID: 29ed82f37e954f5bfece4e0e394ca304d11646be68dbb0d4be198cdcdf3f940e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A41B170A18B088FDF58DF88A4566BD7BF2FB48740F00025EE409D3245DBB5AD498BD6
                                                                                                                                                                                                                  Function 10659AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                  • Instruction ID: 4e4164e10af80d94293e72e54f1999b459784b12eaab224eafeba419650f4a1f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5C14A74218B098FC798EF24C496ADAF7E1FF94304F40472EA49AC7210DF70A519CB8A
                                                                                                                                                                                                                  Function 10659F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                  • Instruction ID: 03cfe7756585c849e937d694fced919cbe37f73a03360cb3565e4bbc3c9f6e1d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9351D3315187488FD759CF18C8812AEB7E5FBC5744F501A2EE8CBC7251DBB4A90ACB82
                                                                                                                                                                                                                  Function 106532F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                  • Instruction ID: eef171d67ad9a2e19c4dba08be103c550ae019cf45ad1f17ed81464f281e7f09
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21C19174619A194FC788EF68D496AEAF3E1FB98340F51432D944EC7254DF30AA09CBC9
                                                                                                                                                                                                                  Function 106532F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                  • Instruction ID: ffccedd594b9350bc44233d6fc89ec74a4a6c0a319b5b3d68e11b583d12ac90b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7AC19174619A194FC788EF68D496AEAF3E1FB98340F51432D944EC7254DF30AA09CBC9
                                                                                                                                                                                                                  Function 10654CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                  • Instruction ID: 4fea6f36c2f064eb8b64ee8df7a5441b03bbac93290f10c93e23f04a335006c2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EA1BC3061874C8FDB18DFA8D444BEEB7E1FF88354F40462EE48AD7291EE3099498789
                                                                                                                                                                                                                  Function 10654CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                  • Instruction ID: a7f2b7c646998cdd4256a0384f97d5455392f33530dde406d01d99f33d86be0a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD91BD3061874C8FDB58DFA8D444BEEB7E1FB88354F40462EE48AD7291EF7095498789
                                                                                                                                                                                                                  Function 10654352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                  • Instruction ID: bf83753b5679745337382543932a5c8913989e3e7ffda867a8f7062f924acf73
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E719031618B498FD758DFA8C4857AAB7F1FF98344F00062EE44AC7261EF71E9498B85
                                                                                                                                                                                                                  Function 1064FC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                  • Instruction ID: ce36b58094bf36615ae83c8b9be3fe619a16c7906011fefd5ac3a3eff697ebc6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B514DB0918B4C8FDB94DFA4C045AEEB7F1FF58300F40462EA59AE7214EF70A5458B89
                                                                                                                                                                                                                  Function 1065086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                  • Instruction ID: badf2da26189c91be0ba5cba60f8d98de79d40e1437e4fdc666ff1ff103d198e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17419634219B4C8FDBA5DF24D8457EAB3E4FB94341F41462EA49EC7241EF30D9058786
                                                                                                                                                                                                                  Function 106524B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                  • Instruction ID: a64973cb90b724395e4f11d14d3299c95e401092a9d996b8d9d80c17867e2259
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA416270A19E0E8FCB94EF58C0A57EE77E1FB58380F51456AA80ED7210EA71D9448BC6
                                                                                                                                                                                                                  Function 10650432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                  • Instruction ID: 90fa82acf44a96d623da8f5b83f0f2a95bb40c85e861eccd4c677ff2093f0b3f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5418270608B498FD799DF28C0853AAB7E1FB98340F104A2FA49EC3255DB70D949CB45
                                                                                                                                                                                                                  Function 106570B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                  • Instruction ID: 8c8475df36600199289145fa1532c5b5336ba2e98c0271aa5f45a09680a0bfc4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2631027050DB886FC76ADF28D0856DAB7D4FB84340F50491EE49BC7291EE30A64ACB47
                                                                                                                                                                                                                  Function 106570C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                  • Instruction ID: af36898c898c75198fc96fcc8348f700795c3f099bece0417e874dc8a55c89f2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87310170409B486FC36ADF28D4856EAB3D4FB94340F404A1EE49BC3255EE30E50ACA46
                                                                                                                                                                                                                  Function 10652FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                  • Instruction ID: 2a274557d5efaef206e0f0c04855073d1d6b47c4c5443361aef63b3bf5a80132
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF318134119B584FC7C4EF288495BAAB7E1FF98340F94462DA44ECB254DF30D909C796
                                                                                                                                                                                                                  Function 10652FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                  • Instruction ID: 9837fceaf2eb99f03a06617053aa00a3b5c70d938656fd719b44df5c764d497c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1531A030219B188FC7C4DF288495BAAB7E1FF98340F94462DA44ECB254DF30D909CB96
                                                                                                                                                                                                                  Function 106558C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                  • Instruction ID: 495e020f1bc76970bbd7bc3d9311ad2661c6dc2050f6dbb283e6545265119f55
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD31E331614A4C8FCB44EFA8C8857EDB7E1FF58254F40422AE45EE7240DF789649C789
                                                                                                                                                                                                                  Function 106558BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                  • Instruction ID: d71692a17f623b28acff8847584250075d76ace0667b7707d7f9545e01d056a0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61210630615A4C8FCB44EFA8C8457EDBBF1FF58254F40421AE45AE7250DF749608CB89
                                                                                                                                                                                                                  Function 10656E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                  • Instruction ID: c7039a5532c0346f9e25dacabbe2a3ecd14cc01b06a921edd560463e15d2ed75
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B216B74A24A0D9FDB44EFA8D0457E9BBF0FF18310F50462DE049D3600DB78A555CB88
                                                                                                                                                                                                                  Function 10656E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                  • Instruction ID: f328fa1d0ba79c102c0eca6af6cb41fab1c86b5a88c99ecd0cf27b616b9bdf23
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39217C74A25B0E9FDB44EFA8D0457AEBAF0FF58310F50462EE049D3600DB78A555CB88
                                                                                                                                                                                                                  Function 10656FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000005.00000002.3782807230.0000000010590000.00000040.00000001.00040000.00000000.sdmp, Offset: 10590000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_10590000_explorer.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                  • Instruction ID: c148e193404bc5c7b8be7f62541ad137812821beb5af62aff0b6c098e512d2ab
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B021CD70614B0D8BCB45CF9998916DEB7E1FF88394F004619E40AEB248D7B4EA598BC6

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:1.7%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:622
                                                                                                                                                                                                                  Total number of Limit Nodes:65
                                                                                                                                                                                                                  execution_graph 103916 729050 103917 72906e 103916->103917 103928 72bd10 103917->103928 103919 72916c 103920 72908b 103920->103919 103931 71acf0 103920->103931 103924 7290f0 Sleep 103927 7290dd 103924->103927 103927->103919 103927->103924 103940 728c70 LdrLoadDll 103927->103940 103941 728e80 LdrLoadDll 103927->103941 103942 72a510 103928->103942 103932 71ad14 103931->103932 103933 71ad50 LdrLoadDll 103932->103933 103934 71ad1b 103932->103934 103933->103934 103935 724e50 103934->103935 103936 724e6a 103935->103936 103937 724e5e 103935->103937 103936->103927 103937->103936 103949 7252d0 LdrLoadDll 103937->103949 103939 724fbc 103939->103927 103940->103927 103941->103927 103945 72af30 103942->103945 103944 72a52c 103944->103920 103946 72af40 103945->103946 103948 72af62 103945->103948 103947 724e50 LdrLoadDll 103946->103947 103947->103948 103948->103944 103949->103939 103951 3152ad0 LdrInitializeThunk 103953 2fdcb84 103956 2fda042 103953->103956 103955 2fdcba5 103958 2fda06b 103956->103958 103957 2fda56c 103957->103955 103958->103957 103959 2fda182 NtQueryInformationProcess 103958->103959 103961 2fda1ba 103959->103961 103960 2fda1ef 103960->103955 103961->103960 103962 2fda2db 103961->103962 103963 2fda290 103961->103963 103964 2fda2fc NtSuspendThread 103962->103964 103985 2fd9de2 NtCreateSection NtMapViewOfSection NtClose 103963->103985 103966 2fda30d 103964->103966 103968 2fda331 103964->103968 103966->103955 103967 2fda2cf 103967->103955 103971 2fda412 103968->103971 103976 2fd9bb2 103968->103976 103970 2fda531 103973 2fda552 NtResumeThread 103970->103973 103971->103970 103972 2fda4a6 NtSetContextThread 103971->103972 103974 2fda4bd 103972->103974 103973->103957 103974->103970 103975 2fda51c NtQueueApcThread 103974->103975 103975->103970 103977 2fd9bf7 103976->103977 103978 2fd9c66 NtCreateSection 103977->103978 103979 2fd9d4e 103978->103979 103980 2fd9ca0 103978->103980 103979->103971 103981 2fd9cc1 NtMapViewOfSection 103980->103981 103981->103979 103982 2fd9d0c 103981->103982 103982->103979 103983 2fd9d88 103982->103983 103984 2fd9dc5 NtClose 103983->103984 103984->103971 103985->103967 103986 72f05d 103989 72b9a0 103986->103989 103990 72b9c6 103989->103990 103997 719d40 103990->103997 103992 72b9d2 103995 72b9f6 103992->103995 104005 718f30 103992->104005 104043 72a680 103995->104043 104047 719c90 103997->104047 103999 719d4d 104000 719d54 103999->104000 104059 719c30 103999->104059 104000->103992 104006 718f57 104005->104006 104459 71b1c0 104006->104459 104008 718f69 104463 71af10 104008->104463 104010 718f86 104017 718f8d 104010->104017 104534 71ae40 LdrLoadDll 104010->104534 104013 718ffc 104479 71f410 104013->104479 104015 719006 104016 72bf60 2 API calls 104015->104016 104039 7190f2 104015->104039 104018 71902a 104016->104018 104017->104039 104467 71f380 104017->104467 104019 72bf60 2 API calls 104018->104019 104020 71903b 104019->104020 104021 72bf60 2 API calls 104020->104021 104022 71904c 104021->104022 104491 71ca90 104022->104491 104024 719059 104025 724a50 8 API calls 104024->104025 104026 719066 104025->104026 104027 724a50 8 API calls 104026->104027 104028 719077 104027->104028 104029 7190a5 104028->104029 104030 719084 104028->104030 104032 724a50 8 API calls 104029->104032 104501 71d620 104030->104501 104035 7190c1 104032->104035 104036 7190e9 104035->104036 104535 71d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 104035->104535 104037 718d00 21 API calls 104036->104037 104037->104039 104038 719092 104517 718d00 104038->104517 104039->103995 104044 72a699 104043->104044 104045 72af30 LdrLoadDll 104044->104045 104046 72a69f 104045->104046 104078 728b90 104047->104078 104051 719cb6 104051->103999 104052 719cac 104052->104051 104085 72b280 104052->104085 104054 719cf3 104054->104051 104096 719ab0 104054->104096 104056 719d13 104102 719620 LdrLoadDll 104056->104102 104058 719d25 104058->103999 104438 72b570 104059->104438 104062 72b570 LdrLoadDll 104063 719c5b 104062->104063 104064 72b570 LdrLoadDll 104063->104064 104065 719c71 104064->104065 104066 71f180 104065->104066 104067 71f199 104066->104067 104442 71b040 104067->104442 104069 71f1ac 104446 72a1b0 104069->104446 104072 719d65 104072->103992 104074 71f1d2 104075 71f1fd 104074->104075 104452 72a230 104074->104452 104077 72a460 2 API calls 104075->104077 104077->104072 104079 728b9f 104078->104079 104080 724e50 LdrLoadDll 104079->104080 104081 719ca3 104080->104081 104082 728a40 104081->104082 104103 72a5d0 104082->104103 104086 72b299 104085->104086 104106 724a50 104086->104106 104088 72b2b1 104089 72b2ba 104088->104089 104145 72b0c0 104088->104145 104089->104054 104091 72b2ce 104091->104089 104163 729ed0 104091->104163 104416 717ea0 104096->104416 104098 719ad1 104098->104056 104099 719aca 104099->104098 104429 718160 104099->104429 104102->104058 104104 72af30 LdrLoadDll 104103->104104 104105 728a55 104104->104105 104105->104052 104107 724d85 104106->104107 104109 724a64 104106->104109 104107->104088 104109->104107 104171 729c20 104109->104171 104111 724b73 104231 72a430 LdrLoadDll 104111->104231 104112 724b90 104174 72a330 104112->104174 104115 724b7d 104115->104088 104116 724bb7 104117 72bd90 2 API calls 104116->104117 104119 724bc3 104117->104119 104118 724d49 104121 72a460 2 API calls 104118->104121 104119->104115 104119->104118 104120 724d5f 104119->104120 104125 724c52 104119->104125 104240 724790 LdrLoadDll NtReadFile NtClose 104120->104240 104122 724d50 104121->104122 104122->104088 104124 724d72 104124->104088 104126 724cb9 104125->104126 104127 724c61 104125->104127 104126->104118 104128 724ccc 104126->104128 104130 724c66 104127->104130 104131 724c7a 104127->104131 104233 72a2b0 104128->104233 104232 724650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 104130->104232 104134 724c97 104131->104134 104135 724c7f 104131->104135 104134->104122 104189 724410 104134->104189 104177 7246f0 104135->104177 104137 724c70 104137->104088 104139 724d2c 104237 72a460 104139->104237 104140 724c8d 104140->104088 104143 724caf 104143->104088 104144 724d38 104144->104088 104146 72b0d1 104145->104146 104147 72b0e3 104146->104147 104148 72bd10 LdrLoadDll 104146->104148 104147->104091 104149 72b104 104148->104149 104258 724070 104149->104258 104151 72b150 104151->104091 104152 72b127 104152->104151 104153 724070 3 API calls 104152->104153 104156 72b149 104153->104156 104155 72b1da 104157 72b1ea 104155->104157 104385 72aed0 LdrLoadDll 104155->104385 104156->104151 104290 725390 104156->104290 104300 72ad40 104157->104300 104160 72b218 104379 729e90 104160->104379 104164 72af30 LdrLoadDll 104163->104164 104165 729eec 104164->104165 104410 3152c0a 104165->104410 104166 729f07 104168 72bd90 104166->104168 104413 72a640 104168->104413 104170 72b329 104170->104054 104172 72af30 LdrLoadDll 104171->104172 104173 724b44 104172->104173 104173->104111 104173->104112 104173->104115 104175 72af30 LdrLoadDll 104174->104175 104176 72a34c NtCreateFile 104175->104176 104176->104116 104178 72470c 104177->104178 104179 72a2b0 LdrLoadDll 104178->104179 104180 72472d 104179->104180 104181 724734 104180->104181 104182 724748 104180->104182 104183 72a460 2 API calls 104181->104183 104184 72a460 2 API calls 104182->104184 104185 72473d 104183->104185 104186 724751 104184->104186 104185->104140 104241 72bfa0 LdrLoadDll RtlAllocateHeap 104186->104241 104188 72475c 104188->104140 104190 72445b 104189->104190 104191 72448e 104189->104191 104193 72a2b0 LdrLoadDll 104190->104193 104192 7245d9 104191->104192 104196 7244aa 104191->104196 104194 72a2b0 LdrLoadDll 104192->104194 104195 724476 104193->104195 104201 7245f4 104194->104201 104197 72a460 2 API calls 104195->104197 104198 72a2b0 LdrLoadDll 104196->104198 104199 72447f 104197->104199 104200 7244c5 104198->104200 104199->104143 104203 7244e1 104200->104203 104204 7244cc 104200->104204 104254 72a2f0 LdrLoadDll 104201->104254 104207 7244e6 104203->104207 104208 7244fc 104203->104208 104206 72a460 2 API calls 104204->104206 104205 72462e 104209 72a460 2 API calls 104205->104209 104210 7244d5 104206->104210 104211 72a460 2 API calls 104207->104211 104216 724501 104208->104216 104242 72bf60 104208->104242 104212 724639 104209->104212 104210->104143 104213 7244ef 104211->104213 104212->104143 104213->104143 104224 724513 104216->104224 104245 72a3e0 104216->104245 104217 724567 104218 72457e 104217->104218 104253 72a270 LdrLoadDll 104217->104253 104220 724585 104218->104220 104221 72459a 104218->104221 104223 72a460 2 API calls 104220->104223 104222 72a460 2 API calls 104221->104222 104225 7245a3 104222->104225 104223->104224 104224->104143 104226 7245cf 104225->104226 104248 72bb60 104225->104248 104226->104143 104228 7245ba 104229 72bd90 2 API calls 104228->104229 104230 7245c3 104229->104230 104230->104143 104231->104115 104232->104137 104234 72af30 LdrLoadDll 104233->104234 104235 724d14 104234->104235 104236 72a2f0 LdrLoadDll 104235->104236 104236->104139 104238 72af30 LdrLoadDll 104237->104238 104239 72a47c NtClose 104238->104239 104239->104144 104240->104124 104241->104188 104255 72a600 104242->104255 104244 72bf78 104244->104216 104246 72af30 LdrLoadDll 104245->104246 104247 72a3fc NtReadFile 104246->104247 104247->104217 104249 72bb84 104248->104249 104250 72bb6d 104248->104250 104249->104228 104250->104249 104251 72bf60 2 API calls 104250->104251 104252 72bb9b 104251->104252 104252->104228 104253->104218 104254->104205 104256 72af30 LdrLoadDll 104255->104256 104257 72a61c RtlAllocateHeap 104256->104257 104257->104244 104259 724081 104258->104259 104261 724089 104258->104261 104259->104152 104260 72435c 104260->104152 104261->104260 104386 72cf00 104261->104386 104263 7240dd 104264 72cf00 2 API calls 104263->104264 104268 7240e8 104264->104268 104265 724136 104267 72cf00 2 API calls 104265->104267 104271 72414a 104267->104271 104268->104265 104391 72cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 104268->104391 104392 72d030 104268->104392 104270 7241a7 104272 72cf00 2 API calls 104270->104272 104271->104270 104274 72d030 3 API calls 104271->104274 104273 7241bd 104272->104273 104275 7241fa 104273->104275 104277 72d030 3 API calls 104273->104277 104274->104271 104276 72cf00 2 API calls 104275->104276 104278 724205 104276->104278 104277->104273 104279 72d030 3 API calls 104278->104279 104286 72423f 104278->104286 104279->104278 104281 724334 104399 72cf60 LdrLoadDll RtlFreeHeap 104281->104399 104283 72433e 104400 72cf60 LdrLoadDll RtlFreeHeap 104283->104400 104285 724348 104401 72cf60 LdrLoadDll RtlFreeHeap 104285->104401 104398 72cf60 LdrLoadDll RtlFreeHeap 104286->104398 104288 724352 104402 72cf60 LdrLoadDll RtlFreeHeap 104288->104402 104291 7253a1 104290->104291 104292 724a50 8 API calls 104291->104292 104294 7253b7 104292->104294 104293 72540a 104293->104155 104294->104293 104295 7253f2 104294->104295 104296 725405 104294->104296 104298 72bd90 2 API calls 104295->104298 104297 72bd90 2 API calls 104296->104297 104297->104293 104299 7253f7 104298->104299 104299->104155 104403 72ac00 104300->104403 104302 72ad54 104303 72ac00 LdrLoadDll 104302->104303 104304 72ad5d 104303->104304 104305 72ac00 LdrLoadDll 104304->104305 104306 72ad66 104305->104306 104307 72ac00 LdrLoadDll 104306->104307 104308 72ad6f 104307->104308 104309 72ac00 LdrLoadDll 104308->104309 104310 72ad78 104309->104310 104311 72ac00 LdrLoadDll 104310->104311 104312 72ad81 104311->104312 104313 72ac00 LdrLoadDll 104312->104313 104314 72ad8d 104313->104314 104315 72ac00 LdrLoadDll 104314->104315 104316 72ad96 104315->104316 104317 72ac00 LdrLoadDll 104316->104317 104318 72ad9f 104317->104318 104319 72ac00 LdrLoadDll 104318->104319 104320 72ada8 104319->104320 104321 72ac00 LdrLoadDll 104320->104321 104322 72adb1 104321->104322 104323 72ac00 LdrLoadDll 104322->104323 104324 72adba 104323->104324 104325 72ac00 LdrLoadDll 104324->104325 104326 72adc6 104325->104326 104327 72ac00 LdrLoadDll 104326->104327 104328 72adcf 104327->104328 104329 72ac00 LdrLoadDll 104328->104329 104330 72add8 104329->104330 104331 72ac00 LdrLoadDll 104330->104331 104332 72ade1 104331->104332 104333 72ac00 LdrLoadDll 104332->104333 104334 72adea 104333->104334 104335 72ac00 LdrLoadDll 104334->104335 104336 72adf3 104335->104336 104337 72ac00 LdrLoadDll 104336->104337 104338 72adff 104337->104338 104339 72ac00 LdrLoadDll 104338->104339 104340 72ae08 104339->104340 104341 72ac00 LdrLoadDll 104340->104341 104342 72ae11 104341->104342 104343 72ac00 LdrLoadDll 104342->104343 104344 72ae1a 104343->104344 104345 72ac00 LdrLoadDll 104344->104345 104346 72ae23 104345->104346 104347 72ac00 LdrLoadDll 104346->104347 104348 72ae2c 104347->104348 104349 72ac00 LdrLoadDll 104348->104349 104350 72ae38 104349->104350 104351 72ac00 LdrLoadDll 104350->104351 104352 72ae41 104351->104352 104353 72ac00 LdrLoadDll 104352->104353 104354 72ae4a 104353->104354 104355 72ac00 LdrLoadDll 104354->104355 104356 72ae53 104355->104356 104357 72ac00 LdrLoadDll 104356->104357 104358 72ae5c 104357->104358 104359 72ac00 LdrLoadDll 104358->104359 104360 72ae65 104359->104360 104361 72ac00 LdrLoadDll 104360->104361 104362 72ae71 104361->104362 104363 72ac00 LdrLoadDll 104362->104363 104364 72ae7a 104363->104364 104365 72ac00 LdrLoadDll 104364->104365 104366 72ae83 104365->104366 104367 72ac00 LdrLoadDll 104366->104367 104368 72ae8c 104367->104368 104369 72ac00 LdrLoadDll 104368->104369 104370 72ae95 104369->104370 104371 72ac00 LdrLoadDll 104370->104371 104372 72ae9e 104371->104372 104373 72ac00 LdrLoadDll 104372->104373 104374 72aeaa 104373->104374 104375 72ac00 LdrLoadDll 104374->104375 104376 72aeb3 104375->104376 104377 72ac00 LdrLoadDll 104376->104377 104378 72aebc 104377->104378 104378->104160 104380 729e9c 104379->104380 104381 72af30 LdrLoadDll 104380->104381 104382 729eac 104381->104382 104409 3152df0 LdrInitializeThunk 104382->104409 104383 729ec3 104383->104091 104385->104157 104387 72cf10 104386->104387 104388 72cf16 104386->104388 104387->104263 104389 72bf60 2 API calls 104388->104389 104390 72cf3c 104389->104390 104390->104263 104391->104268 104393 72cfa0 104392->104393 104394 72cffd 104393->104394 104395 72bf60 2 API calls 104393->104395 104394->104268 104396 72cfda 104395->104396 104397 72bd90 2 API calls 104396->104397 104397->104394 104398->104281 104399->104283 104400->104285 104401->104288 104402->104260 104404 72ac1b 104403->104404 104405 724e50 LdrLoadDll 104404->104405 104406 72ac3b 104405->104406 104407 724e50 LdrLoadDll 104406->104407 104408 72ace7 104406->104408 104407->104408 104408->104302 104408->104408 104409->104383 104411 3152c11 104410->104411 104412 3152c1f LdrInitializeThunk 104410->104412 104411->104166 104412->104166 104414 72af30 LdrLoadDll 104413->104414 104415 72a65c RtlFreeHeap 104414->104415 104415->104170 104417 717eb0 104416->104417 104418 717eab 104416->104418 104419 72bd10 LdrLoadDll 104417->104419 104418->104099 104425 717ed5 104419->104425 104420 717f38 104420->104099 104421 729e90 2 API calls 104421->104425 104422 717f3e 104424 717f64 104422->104424 104426 72a590 2 API calls 104422->104426 104424->104099 104425->104420 104425->104421 104425->104422 104427 72bd10 LdrLoadDll 104425->104427 104432 72a590 104425->104432 104428 717f55 104426->104428 104427->104425 104428->104099 104430 72a590 2 API calls 104429->104430 104431 71817e 104430->104431 104431->104056 104433 72af30 LdrLoadDll 104432->104433 104434 72a5ac 104433->104434 104437 3152c70 LdrInitializeThunk 104434->104437 104435 72a5c3 104435->104425 104437->104435 104439 72b593 104438->104439 104440 71acf0 LdrLoadDll 104439->104440 104441 719c4a 104440->104441 104441->104062 104443 71b063 104442->104443 104445 71b0e0 104443->104445 104457 729c60 LdrLoadDll 104443->104457 104445->104069 104447 72af30 LdrLoadDll 104446->104447 104448 71f1bb 104447->104448 104448->104072 104449 72a7a0 104448->104449 104450 72af30 LdrLoadDll 104449->104450 104451 72a7bf LookupPrivilegeValueW 104450->104451 104451->104074 104453 72af30 LdrLoadDll 104452->104453 104454 72a24c 104453->104454 104458 3152ea0 LdrInitializeThunk 104454->104458 104455 72a26b 104455->104075 104457->104445 104458->104455 104460 71b1f0 104459->104460 104461 71b040 LdrLoadDll 104460->104461 104462 71b204 104461->104462 104462->104008 104464 71af34 104463->104464 104536 729c60 LdrLoadDll 104464->104536 104466 71af6e 104466->104010 104468 71f3ac 104467->104468 104469 71b1c0 LdrLoadDll 104468->104469 104470 71f3be 104469->104470 104537 71f290 104470->104537 104473 71f3f1 104476 71f402 104473->104476 104478 72a460 2 API calls 104473->104478 104474 71f3d9 104475 71f3e4 104474->104475 104477 72a460 2 API calls 104474->104477 104475->104013 104476->104013 104477->104475 104478->104476 104480 71f43c 104479->104480 104556 71b2b0 104480->104556 104482 71f44e 104483 71f290 3 API calls 104482->104483 104484 71f45f 104483->104484 104485 71f481 104484->104485 104486 71f469 104484->104486 104487 71f492 104485->104487 104490 72a460 2 API calls 104485->104490 104488 71f474 104486->104488 104489 72a460 2 API calls 104486->104489 104487->104015 104488->104015 104489->104488 104490->104487 104492 71caa6 104491->104492 104493 71cab0 104491->104493 104492->104024 104494 71af10 LdrLoadDll 104493->104494 104495 71cb4e 104494->104495 104496 71cb74 104495->104496 104497 71b040 LdrLoadDll 104495->104497 104496->104024 104498 71cb90 104497->104498 104499 724a50 8 API calls 104498->104499 104500 71cbe5 104499->104500 104500->104024 104502 71d646 104501->104502 104503 71b040 LdrLoadDll 104502->104503 104504 71d65a 104503->104504 104560 71d310 104504->104560 104506 71908b 104507 71cc00 104506->104507 104508 71cc26 104507->104508 104509 71b040 LdrLoadDll 104508->104509 104510 71cca9 104508->104510 104509->104510 104511 71b040 LdrLoadDll 104510->104511 104512 71cd16 104511->104512 104513 71af10 LdrLoadDll 104512->104513 104514 71cd7f 104513->104514 104515 71b040 LdrLoadDll 104514->104515 104516 71ce2f 104515->104516 104516->104038 104520 718d14 104517->104520 104589 71f6d0 104517->104589 104519 718f25 104519->103995 104520->104519 104594 7243a0 104520->104594 104522 718d70 104522->104519 104597 718ab0 104522->104597 104525 72cf00 2 API calls 104526 718db2 104525->104526 104527 72d030 3 API calls 104526->104527 104531 718dc7 104527->104531 104528 717ea0 3 API calls 104528->104531 104531->104519 104531->104528 104532 71c7b0 16 API calls 104531->104532 104533 718160 2 API calls 104531->104533 104602 71f670 104531->104602 104606 71f080 19 API calls 104531->104606 104532->104531 104533->104531 104534->104017 104535->104036 104536->104466 104538 71f2aa 104537->104538 104546 71f360 104537->104546 104539 71b040 LdrLoadDll 104538->104539 104540 71f2cc 104539->104540 104547 729f10 104540->104547 104542 71f30e 104550 729f50 104542->104550 104545 72a460 2 API calls 104545->104546 104546->104473 104546->104474 104548 72af30 LdrLoadDll 104547->104548 104549 729f2c 104548->104549 104549->104542 104551 72af30 LdrLoadDll 104550->104551 104552 729f6c 104551->104552 104555 31535c0 LdrInitializeThunk 104552->104555 104553 71f354 104553->104545 104555->104553 104557 71b2ba 104556->104557 104558 71b040 LdrLoadDll 104557->104558 104559 71b313 104558->104559 104559->104482 104561 71d327 104560->104561 104569 71f710 104561->104569 104565 71d39b 104566 71d3a2 104565->104566 104580 72a270 LdrLoadDll 104565->104580 104566->104506 104568 71d3b5 104568->104506 104570 71f735 104569->104570 104581 7181a0 104570->104581 104572 71f759 104573 71d36f 104572->104573 104574 724a50 8 API calls 104572->104574 104576 72bd90 2 API calls 104572->104576 104588 71f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 104572->104588 104577 72a6b0 104573->104577 104574->104572 104576->104572 104578 72af30 LdrLoadDll 104577->104578 104579 72a6cf CreateProcessInternalW 104578->104579 104579->104565 104580->104568 104582 71829f 104581->104582 104583 7181b5 104581->104583 104582->104572 104583->104582 104584 724a50 8 API calls 104583->104584 104586 718222 104584->104586 104585 718249 104585->104572 104586->104585 104587 72bd90 2 API calls 104586->104587 104587->104585 104588->104572 104590 724e50 LdrLoadDll 104589->104590 104591 71f6ef 104590->104591 104592 71f6f6 SetErrorMode 104591->104592 104593 71f6fd 104591->104593 104592->104593 104593->104520 104595 7243c6 104594->104595 104607 71f4a0 104594->104607 104595->104522 104598 72bd10 LdrLoadDll 104597->104598 104599 718ad5 104598->104599 104600 718cea 104599->104600 104626 729850 104599->104626 104600->104525 104603 71f683 104602->104603 104674 729e60 104603->104674 104606->104531 104608 71f4bd 104607->104608 104614 729f90 104608->104614 104611 71f505 104611->104595 104615 72af30 LdrLoadDll 104614->104615 104616 729fac 104615->104616 104624 3152f30 LdrInitializeThunk 104616->104624 104617 71f4fe 104617->104611 104619 729fe0 104617->104619 104620 729ffc 104619->104620 104621 72af30 LdrLoadDll 104619->104621 104625 3152d10 LdrInitializeThunk 104620->104625 104621->104620 104622 71f52e 104622->104595 104624->104617 104625->104622 104627 72bf60 2 API calls 104626->104627 104628 729867 104627->104628 104647 719310 104628->104647 104630 729882 104631 7298c0 104630->104631 104632 7298a9 104630->104632 104635 72bd10 LdrLoadDll 104631->104635 104633 72bd90 2 API calls 104632->104633 104634 7298b6 104633->104634 104634->104600 104636 7298fa 104635->104636 104637 72bd10 LdrLoadDll 104636->104637 104638 729913 104637->104638 104644 729bb4 104638->104644 104653 72bd50 LdrLoadDll 104638->104653 104640 729b99 104641 729ba0 104640->104641 104640->104644 104642 72bd90 2 API calls 104641->104642 104643 729baa 104642->104643 104643->104600 104645 72bd90 2 API calls 104644->104645 104646 729c09 104645->104646 104646->104600 104648 719330 104647->104648 104649 71acf0 LdrLoadDll 104648->104649 104650 719368 104649->104650 104652 71938d 104650->104652 104654 71cf20 104650->104654 104652->104630 104653->104640 104655 71cf4c 104654->104655 104656 72a1b0 LdrLoadDll 104655->104656 104657 71cf65 104656->104657 104658 71cf6c 104657->104658 104665 72a1f0 104657->104665 104658->104652 104662 71cfa7 104663 72a460 2 API calls 104662->104663 104664 71cfca 104663->104664 104664->104652 104666 72af30 LdrLoadDll 104665->104666 104667 72a20c 104666->104667 104673 3152ca0 LdrInitializeThunk 104667->104673 104668 71cf8f 104668->104658 104670 72a7e0 104668->104670 104671 72af30 LdrLoadDll 104670->104671 104672 72a7ff 104671->104672 104672->104662 104673->104668 104675 72af30 LdrLoadDll 104674->104675 104676 729e7c 104675->104676 104679 3152dd0 LdrInitializeThunk 104676->104679 104677 71f6ae 104677->104531 104679->104677

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 02FDA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 02FDA19F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769506820.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_2fd0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                  • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                  • Instruction ID: 89e49e33c588b8b3801e48aab295649741eca5518033a24e94be702ac1592d92
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F16070918A8C8FDBA5EF68CC94AEEB7E2FF98304F44462AD54AD7250DF349641CB41
                                                                                                                                                                                                                  Function 02FD9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 207 2fd9baf-2fd9bef 208 2fd9bf7-2fd9bfe 207->208 209 2fd9bf2 call 2fd9102 207->209 210 2fd9c0c-2fd9c9a call 2fdb942 * 2 NtCreateSection 208->210 211 2fd9c00 208->211 209->208 217 2fd9d5a-2fd9d68 210->217 218 2fd9ca0-2fd9d0a call 2fdb942 NtMapViewOfSection 210->218 212 2fd9c02-2fd9c0a 211->212 212->210 212->212 221 2fd9d0c-2fd9d4c 218->221 222 2fd9d52 218->222 224 2fd9d4e-2fd9d4f 221->224 225 2fd9d69-2fd9d6b 221->225 222->217 224->222 226 2fd9d6d-2fd9d72 225->226 227 2fd9d88-2fd9ddc call 2fdcd62 NtClose 225->227 229 2fd9d74-2fd9d86 call 2fd9172 226->229 229->227
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769506820.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_2fd0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Section$CloseCreateView
                                                                                                                                                                                                                  • String ID: @$@
                                                                                                                                                                                                                  • API String ID: 1133238012-149943524
                                                                                                                                                                                                                  • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                  • Instruction ID: f4e50a0d59aeb55fc78eccd57c0b7b4ecbd7968326080bc5cea751182ef26133
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C461C370518B488FCB58EF58D8856AABBE1FF98354F50062EE58AC3251CF75D441CB86
                                                                                                                                                                                                                  Function 02FD9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 235 2fd9bb2-2fd9bfe call 2fd9102 238 2fd9c0c-2fd9c9a call 2fdb942 * 2 NtCreateSection 235->238 239 2fd9c00 235->239 245 2fd9d5a-2fd9d68 238->245 246 2fd9ca0-2fd9d0a call 2fdb942 NtMapViewOfSection 238->246 240 2fd9c02-2fd9c0a 239->240 240->238 240->240 249 2fd9d0c-2fd9d4c 246->249 250 2fd9d52 246->250 252 2fd9d4e-2fd9d4f 249->252 253 2fd9d69-2fd9d6b 249->253 250->245 252->250 254 2fd9d6d-2fd9d72 253->254 255 2fd9d88-2fd9ddc call 2fdcd62 NtClose 253->255 257 2fd9d74-2fd9d86 call 2fd9172 254->257 257->255
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769506820.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_2fd0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Section$CreateView
                                                                                                                                                                                                                  • String ID: @$@
                                                                                                                                                                                                                  • API String ID: 1585966358-149943524
                                                                                                                                                                                                                  • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                  • Instruction ID: 20b0fde4204bd9d8ab787cce3cf1a6b20931b673451e8fdf479fac80f46be1c2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E351AE70618B088FC758DF58D8956AABBE1FF88344F50062EE98ED3291DF71D441CB86
                                                                                                                                                                                                                  Function 0072A45A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 368 72a45a-72a45d 369 72a460-72a489 call 72af30 NtClose 368->369 370 72a44e-72a459 368->370
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtClose.NTDLL(PMr,?,?,00724D50,00000000,FFFFFFFF), ref: 0072A485
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                  • String ID: PMr$}Kr
                                                                                                                                                                                                                  • API String ID: 3535843008-1351801184
                                                                                                                                                                                                                  • Opcode ID: 2f0c108651cb415b142164e44faf7ed5ec1dab60555eb818baae5270592db7b9
                                                                                                                                                                                                                  • Instruction ID: 6cff675bb4b477bcba0e42b01986a171b60829ef84f65b53af86efdbbfddee41
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f0c108651cb415b142164e44faf7ed5ec1dab60555eb818baae5270592db7b9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE092715402147BD700EBD8DC45EE7776CEF44750F054555F90C97602C534F61086E1
                                                                                                                                                                                                                  Function 02FDA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 02FDA19F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769506820.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_2fd0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                  • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                  • Instruction ID: e0c9e2cb9ff731c89c026dc8db2f6787863bb8fb31cce4347d5ca222f8a18f2a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9513970918A8C8FDBA9EF68C8946EEBBF5FB98304F40462AD54AD7210DF309645CB41
                                                                                                                                                                                                                  Function 0072A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 551 72a330-72a381 call 72af30 NtCreateFile
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00724BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00724BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0072A37D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                                                  • API String ID: 823142352-1441809116
                                                                                                                                                                                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                  • Instruction ID: 9b9281fc530fb80bbf515acf5d6b5a483a62e19db1aea7ae13a948ccee0bfccf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1F0BDB2211208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                                                                                                                                                                  Function 0072A32F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 554 72a32f-72a346 555 72a34c-72a381 NtCreateFile 554->555 556 72a347 call 72af30 554->556 556->555
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00724BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00724BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0072A37D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                                                  • API String ID: 823142352-1441809116
                                                                                                                                                                                                                  • Opcode ID: c2179bc34c1a666b19a2f21ea06318e4e93719639835fef1bafc1893361c65aa
                                                                                                                                                                                                                  • Instruction ID: 27751d9080f1c861f252dad010382080ecbe58397e49a4c00773c40186d1380d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2179bc34c1a666b19a2f21ea06318e4e93719639835fef1bafc1893361c65aa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEF0C4B2611108BFCB18CF98DC85EEB77ADAF8C354F158248FA1D97281C630E811CBA4
                                                                                                                                                                                                                  Function 0072A42B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 557 72a42b-72a42c 558 72a42e-72a446 557->558 559 72a40f-72a429 NtReadFile 557->559 560 72a44c-72a459 558->560 561 72a447 call 72af30 558->561 561->560
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jr,FFFFFFFF,?,rMr,?,00000000), ref: 0072A425
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                  • String ID: }Kr
                                                                                                                                                                                                                  • API String ID: 2738559852-250520783
                                                                                                                                                                                                                  • Opcode ID: 2d4f4fd3e518eaf15f116e45bead8932e61f0df1ecc6521137a33d951c9d98c9
                                                                                                                                                                                                                  • Instruction ID: 469e218ee694c4be2630ec03da6f2e91edb57b5dba564db965369955f88edbc2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d4f4fd3e518eaf15f116e45bead8932e61f0df1ecc6521137a33d951c9d98c9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F03AB2211114BFCB14DF99EC85EEB77A9EF88750F108659FA1C97241D630E911CBA0
                                                                                                                                                                                                                  Function 0072A3E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 563 72a3e0-72a429 call 72af30 NtReadFile
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jr,FFFFFFFF,?,rMr,?,00000000), ref: 0072A425
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                  • String ID: 1Jr
                                                                                                                                                                                                                  • API String ID: 2738559852-1853219114
                                                                                                                                                                                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                  • Instruction ID: d8e77483b1c7fadbebe6bd88098f85198a0893a0e207a24eb5b6dcc1fc2fdb3a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31F0B7B2210208AFCB14DF89DC85EEB77ADEF8C754F158249BE1D97241D634E811CBA0
                                                                                                                                                                                                                  Function 0072A460 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • NtClose.NTDLL(PMr,?,?,00724D50,00000000,FFFFFFFF), ref: 0072A485
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                  • String ID: PMr
                                                                                                                                                                                                                  • API String ID: 3535843008-1747048186
                                                                                                                                                                                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                  • Instruction ID: 71954ec5e47f5d2c6d72e6a6f4c3d7a2f49f6f8abfe94ee696c4c48f094c98fa
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5D01776610214BBD710EB98DC89EA77BACEF48760F154499BA189B242C534FA0086E0
                                                                                                                                                                                                                  Function 03152B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: a88ad71e9f0dd7fafa46f5ec3cdbc65ab7d70511d72ff299ca212688a70d846f
                                                                                                                                                                                                                  • Instruction ID: 4cf719662ac7fb32b174d2470494f6a6bc3f78d5db50375e11b4236ee4423716
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a88ad71e9f0dd7fafa46f5ec3cdbc65ab7d70511d72ff299ca212688a70d846f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC9002A1202404034105B1984914616400A87E4201B55D021E5015590DC72589A16125
                                                                                                                                                                                                                  Function 03152AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 201cbbf5a3e910976982b12ec29e619821fdf141beabe9e21a4c757157d8a113
                                                                                                                                                                                                                  • Instruction ID: 5eea4703bbddca095d391fe2921c8a48510dc76c7d548ef5dcd2dc9e3cd8f92f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 201cbbf5a3e910976982b12ec29e619821fdf141beabe9e21a4c757157d8a113
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57900475311404030105F5DC0F045070047C7DD351355D031F5017550CD731CD715131
                                                                                                                                                                                                                  Function 03152F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 26e804c204a49486c858a8752473b4e36ef8d37db1dcff6bdc1d7a957a67b0ad
                                                                                                                                                                                                                  • Instruction ID: 8cc3f288a001d28c1e90bbd0a5680045a215b34a84b26db3e3c17c7ead13d35a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26e804c204a49486c858a8752473b4e36ef8d37db1dcff6bdc1d7a957a67b0ad
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B9002A134140843D100B1984914B060005C7E5301F55D015E5065554D8719CD626126
                                                                                                                                                                                                                  Function 03152FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 11900e5dc4f37840d86630a6f903fe891585539aa9f9c05e35c355894891674a
                                                                                                                                                                                                                  • Instruction ID: b85ed6cfe057a9b3133f71a81deac0a19843d38a76549c347eed33693b6f5e20
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11900e5dc4f37840d86630a6f903fe891585539aa9f9c05e35c355894891674a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51900261211C0443D200B5A84D14B07000587D4303F55D115A4155554CCB1589715521
                                                                                                                                                                                                                  Function 03152EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: abdd769a6ac882ec3dc7d7c1c86fcf0ab123ff26ded741b7f5c1ef25791f837c
                                                                                                                                                                                                                  • Instruction ID: 0ef5f8eb83e15fac74154d82e69b8cf3e44baf05f61608ea693a6c981ffa6c5b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abdd769a6ac882ec3dc7d7c1c86fcf0ab123ff26ded741b7f5c1ef25791f837c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E9002B120140803D140B1984904746000587D4301F55D011A9065554E87598EE56665
                                                                                                                                                                                                                  Function 03152D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: cb7c28c121f1bdfdd89b780ecbc29b35ef12e8f2a75f9028320df207622ec515
                                                                                                                                                                                                                  • Instruction ID: bb6d3928cce9418bc681be1dc7a0005d6ba26019553e8e823c4b4a1f71f75ec0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb7c28c121f1bdfdd89b780ecbc29b35ef12e8f2a75f9028320df207622ec515
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C490026921340403D180B198590860A000587D5202F95E415A4016558CCB1589795321
                                                                                                                                                                                                                  Function 03152DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 2c2c5457adf50f9930fd1f270d7d489b7e78a71944227379190462ca2690996d
                                                                                                                                                                                                                  • Instruction ID: 8658d275e956531235683c68f5f8083d29fec8568988aa5dd309af0bf4bc23e0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c2c5457adf50f9930fd1f270d7d489b7e78a71944227379190462ca2690996d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8900261242445535545F1984904507400697E4241795D012A5415950C87269966D621
                                                                                                                                                                                                                  Function 03152DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: c267b3de0387f753b18df0bf31207086b6fe9371f6cc4498df2627acb1122413
                                                                                                                                                                                                                  • Instruction ID: 8d0120f42139b2e503ac6b3403ff67fb8518bf9c73033bf525170d48993c3162
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c267b3de0387f753b18df0bf31207086b6fe9371f6cc4498df2627acb1122413
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D90027120140813D111B1984A04707000987D4241F95D412A4425558D97568A62A121
                                                                                                                                                                                                                  Function 03152C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: eaa6c34cc6427d10fc52166dc8170421b87ee7a95871abfc238fa1ee9110791a
                                                                                                                                                                                                                  • Instruction ID: 5cdcb83ce39e9b6ed76d8112b1493707251848147604549bdec6b7be6aec9f26
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaa6c34cc6427d10fc52166dc8170421b87ee7a95871abfc238fa1ee9110791a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C490027120148C03D110B198890474A000587D4301F59D411A8425658D879589A17121
                                                                                                                                                                                                                  Function 03152C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 9823b22218e83ff7a818eb650bebe4d4beae16b79c02496e1a1c7797ee12c80c
                                                                                                                                                                                                                  • Instruction ID: e0c776e92b07f80e60bf2c83dd95dc4278634bd76b29a19ce6d3dac14c25f00b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9823b22218e83ff7a818eb650bebe4d4beae16b79c02496e1a1c7797ee12c80c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A90027120140C43D100B1984904B46000587E4301F55D016A4125654D8715C9617521
                                                                                                                                                                                                                  Function 03152CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 3ae2181231379d1b885063c47fa73306ae2e616a84f4a64c4271b75327afa564
                                                                                                                                                                                                                  • Instruction ID: c18ea220ca26d635f188340a0d27d63f4f5e2da40380c591aa81f58515063cc7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ae2181231379d1b885063c47fa73306ae2e616a84f4a64c4271b75327afa564
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7490027120140803D100B5D85908646000587E4301F55E011A9025555EC76589A16131
                                                                                                                                                                                                                  Function 031535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 3514eb9740e80ef5f9ca05a57602d2ce340b4bf9ea15fc549ab3759a5a45d4e4
                                                                                                                                                                                                                  • Instruction ID: a65628ff5ad8658c91cb641c5e3b80ee957c5aef491df60126377114e6df2512
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3514eb9740e80ef5f9ca05a57602d2ce340b4bf9ea15fc549ab3759a5a45d4e4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E690027160550803D100B1984A14706100587D4201F65D411A4425568D87958A6165A2
                                                                                                                                                                                                                  Function 00729050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 405 729050-729092 call 72bd10 409 729098-7290e8 call 72bde0 call 71acf0 call 724e50 405->409 410 72916c-729172 405->410 417 7290f0-729101 Sleep 409->417 418 729103-729109 417->418 419 729166-72916a 417->419 420 729133-729154 call 728e80 418->420 421 72910b-729131 call 728c70 418->421 419->410 419->417 425 729159-72915c 420->425 421->425 425->419
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Sleep.KERNELBASE(000007D0), ref: 007290F8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                  • Opcode ID: e5e29976e435e1dfde152f96692afefcee273e64473320723cc8ed671931ff9b
                                                                                                                                                                                                                  • Instruction ID: 83b85b69ba321b876a0989df45a2f740899db0aa60e8628ad69b47a2430c9b61
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5e29976e435e1dfde152f96692afefcee273e64473320723cc8ed671931ff9b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC31B4B2500355BBC724DF64D889FA7B7B8BB48700F14811DF62A6B245DA34B650CBA8
                                                                                                                                                                                                                  Function 00729047 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 426 729047-72904c 427 72906e-729092 call 72bd10 426->427 428 72904e-729069 426->428 431 729098-7290e8 call 72bde0 call 71acf0 call 724e50 427->431 432 72916c-729172 427->432 428->427 439 7290f0-729101 Sleep 431->439 440 729103-729109 439->440 441 729166-72916a 439->441 442 729133-729154 call 728e80 440->442 443 72910b-729131 call 728c70 440->443 441->432 441->439 447 729159-72915c 442->447 443->447 447->441
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Sleep.KERNELBASE(000007D0), ref: 007290F8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                  • Opcode ID: 63884c9e90c699882dd90b0e07c346ea475eda991a5c29e2902426c504ef9855
                                                                                                                                                                                                                  • Instruction ID: 10647f9515ed2b6007468a0dabcf8a27c7b68c8b16da09ddaa183b43caa7315a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63884c9e90c699882dd90b0e07c346ea475eda991a5c29e2902426c504ef9855
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F21E671A00315BBC724DF64D8C9F6BB7B8FB44700F14801DF6296B245DB74A560CBA5
                                                                                                                                                                                                                  Function 0072A632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 566 72a632-72a656 567 72a65c-72a671 RtlFreeHeap 566->567 568 72a657 call 72af30 566->568 568->567
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00713AF8), ref: 0072A66D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                  • Opcode ID: 5ab1f9ebfd61313a2c71f5ebd0a4e95d611386f41238130e82d8861c00148ee3
                                                                                                                                                                                                                  • Instruction ID: 1bfccde9c41b185a50e90c456192d902d77a9c7353fc371982a212c42f36887e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ab1f9ebfd61313a2c71f5ebd0a4e95d611386f41238130e82d8861c00148ee3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DE06DB6A502146FE714DF68DC84ED73759EF48354F114655FE1997242C531E9018AA0
                                                                                                                                                                                                                  Function 0072A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00713AF8), ref: 0072A66D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                  • Instruction ID: 217e2d1d397dbebb0a61b254862f4609128474786a2900550e56d600517072b2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E046B1610218BBDB18EF99DC49EA777ACEF88750F018559FE085B242C630F910CAF0
                                                                                                                                                                                                                  Function 0072A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(6Er,?,00724CAF,00724CAF,?,00724536,?,?,?,?,?,00000000,00000000,?), ref: 0072A62D
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID: 6Er
                                                                                                                                                                                                                  • API String ID: 1279760036-3970100064
                                                                                                                                                                                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                  • Instruction ID: b9ae502ee8d41eb255ff1e0da0f9205b558d5c81f2a401f936e8454b0b6ad027
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABE012B1610218ABDB14EF99DC45EA777ACAF88654F118559BA085B242C630F9118AB0
                                                                                                                                                                                                                  Function 00718308 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0071836A
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0071838B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                  • Opcode ID: 2f9fa2d1e18a5147fd5a2052cceb08ccc37e4161448bfa1afe7e85d2a31b9ca4
                                                                                                                                                                                                                  • Instruction ID: 9bd1a54ee188ecfa2104a08cb405537ef87c6ebbc05a443c0f37cd43de3760b4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f9fa2d1e18a5147fd5a2052cceb08ccc37e4161448bfa1afe7e85d2a31b9ca4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1901D831A81228BAE721AA949C47FFE776C6B41F50F050109FF04BA1C2EAA8694547F2
                                                                                                                                                                                                                  Function 00718310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0071836A
                                                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0071838B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                                                  • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                  • Instruction ID: 9ab394a3513fa009f896a367de987bc591123806390892586f1b00d556ee1220
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9101A731A81228B7E721A6989C07FFE776C5B41F50F050115FF04BA1C1EAE8690546F6
                                                                                                                                                                                                                  Function 0072A6AD Relevance: 1.6, APIs: 1, Instructions: 54processCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0072A704
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateInternalProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2186235152-0
                                                                                                                                                                                                                  • Opcode ID: da4fba5f7295c93d1427ab53a76ad236c9c2f77519cf3b115a1e72a7ba2d7bf3
                                                                                                                                                                                                                  • Instruction ID: 421115c50c96cee50c5685a79c7b3123c66a111d94c271967be034987c688ba0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da4fba5f7295c93d1427ab53a76ad236c9c2f77519cf3b115a1e72a7ba2d7bf3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F001E2B2610208BFCB14DF98DC80EEB73ADAF8C754F158259FA0D97241D634E9118BA1
                                                                                                                                                                                                                  Function 0071ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0071AD62
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                  • Instruction ID: 13c149043007d3d7c1427938a36518896c9b0460434614db37b69114ac3ce7eb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30011EB5E0020DFBDB10EAA4EC46FDDB3B89B54308F1045A5A90897685F635EB58CB92
                                                                                                                                                                                                                  Function 0072A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0072A704
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateInternalProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2186235152-0
                                                                                                                                                                                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                  • Instruction ID: e85b4d0d6756b7ec2f23b51d3e0afa9de94fd18be70a19a4990dda8ca75ddc24
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3901B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                                                                                                                                                                                  Function 00729180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0071F050,?,?,00000000), ref: 007291BC
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                                                  • Opcode ID: 2a9e86e24bc56bd5e5c8f7058f3337d393e3d54e9e3bda20cdafd8c47c4461b2
                                                                                                                                                                                                                  • Instruction ID: 386c70f5176553a3136b841aa3f8ad3f76380870b1b879a24e2e2d9428c44fc5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a9e86e24bc56bd5e5c8f7058f3337d393e3d54e9e3bda20cdafd8c47c4461b2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52E092333803147AE3306599AC03FA7B39CDB81B20F550036FB0DEB2C1D599F80146A5
                                                                                                                                                                                                                  Function 0072A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0071F1D2,0071F1D2,?,00000000,?,?), ref: 0072A7D0
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                  • Instruction ID: 7780f8f25f791d1c082a5f35b833035ac1217cfaeaae86d0a986d5967de69c80
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84E01AB1610218ABDB10DF49DC85EE737ADAF88650F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                  Function 0071F6C7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008003,?,00718D14,?), ref: 0071F6FB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                  • Opcode ID: 0d12322264580f8014817181127fd7e5ea02209f82d9b17892e9fa143eb37236
                                                                                                                                                                                                                  • Instruction ID: 9e8c3c3e19571cd3bf6e0968952606ebb81604f53a534a464023231550c0ff22
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d12322264580f8014817181127fd7e5ea02209f82d9b17892e9fa143eb37236
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EE02B61B503093BE700BAA4DC23F9733C96B10B40F558020F908D73C3EE54E50044A0
                                                                                                                                                                                                                  Function 0071F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008003,?,00718D14,?), ref: 0071F6FB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                  • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                  • Instruction ID: 0416a55f2cea6f8112493a94d8effe32d21f93abaa9b7e7b289a8e831a417e21
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24D05E616503082AE710AAA89C17F6632886B54B00F4A0064F948962C3D954E4004565
                                                                                                                                                                                                                  Function 00729173 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0071F050,?,?,00000000), ref: 007291BC
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3768270082.0000000000710000.00000040.80000000.00040000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_710000_ipconfig.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                                                  • Opcode ID: 6a92d3180634f6edf34367d02a3cb7829a3a1da94794bdf4085710489f94b317
                                                                                                                                                                                                                  • Instruction ID: 8fe720adc07c77ba516ed5454e359a3a1ccd4625c9dd21e5176bdea137fd8698
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a92d3180634f6edf34367d02a3cb7829a3a1da94794bdf4085710489f94b317
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76C04C753A829929F23052AEBC45B78DA89CBD4666F1806B3F689D988190851CAA4250
                                                                                                                                                                                                                  Function 03152C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                  • Opcode ID: 30d8ec9038230b3f33cf9f8cbf9a6df5cc64706344b24bf8c08fa15823a8e963
                                                                                                                                                                                                                  • Instruction ID: 4b741c84938ac3b10554ee97d4b92d2acb498352d01e9ac38cb219b128a359e7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30d8ec9038230b3f33cf9f8cbf9a6df5cc64706344b24bf8c08fa15823a8e963
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2B09B729015C5C7DA11E7604B08717790467D4701F29C461E6130641F4739C1D1E175

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 00D439FE Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 616memorywindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(000008FF,00000000,00000000,?,00000014,00000000), ref: 00D43BEE
                                                                                                                                                                                                                  • ConvertLengthToIpv4Mask.IPHLPAPI(?,00000000), ref: 00D43C4F
                                                                                                                                                                                                                  • InetNtopW.WS2_32(00000002,?,?,00000041), ref: 00D43C79
                                                                                                                                                                                                                    • Part of subcall function 00D43096: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D430B1
                                                                                                                                                                                                                    • Part of subcall function 00D43096: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00D430BF
                                                                                                                                                                                                                    • Part of subcall function 00D43096: GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00D430D9
                                                                                                                                                                                                                    • Part of subcall function 00D43096: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00D430E5
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D43F4C
                                                                                                                                                                                                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D43F53
                                                                                                                                                                                                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D43FCE
                                                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D43FD5
                                                                                                                                                                                                                    • Part of subcall function 00D43901: RtlIpv4AddressToStringExW.NTDLL(?,00000000,?,?), ref: 00D43918
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00D44141
                                                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,?,?,?,?), ref: 00D44151
                                                                                                                                                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000000,000000C6,00000000,00000000,?), ref: 00D44167
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00D44190
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$FreeHeapTime$FileFormat$AllocIpv4MessageProcess$AdaptersAddressAddressesConvertDateErrorInetLastLengthMaskNtopStringSystem__iob_func
                                                                                                                                                                                                                  • String ID: %02X-$A
                                                                                                                                                                                                                  • API String ID: 2780012581-292374352
                                                                                                                                                                                                                  • Opcode ID: 93c45c7df4889e0b4e17dc326155e3b37a2235613d3d6780c1eed5497764b67e
                                                                                                                                                                                                                  • Instruction ID: a5fd3d9ecb9f754f4b40d3ca12a600eab77a1eed072f4d764cbd803d1274d13a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93c45c7df4889e0b4e17dc326155e3b37a2235613d3d6780c1eed5497764b67e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25228D71944315AFDB24AB64DC86FEA737CEF44710F180169F909AB182DB71DE948BB0
                                                                                                                                                                                                                  Function 00D451A0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D452D6,00D41000), ref: 00D451A7
                                                                                                                                                                                                                  • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00D452D6,?,00D452D6,00D41000), ref: 00D451B0
                                                                                                                                                                                                                  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00D452D6,00D41000), ref: 00D451BB
                                                                                                                                                                                                                  • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00D452D6,00D41000), ref: 00D451C2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3231755760-0
                                                                                                                                                                                                                  • Opcode ID: 2f46a24d586d3eac23d70cf3ba51f92ec4fd720b941ec559e9bc3d3b15f4468d
                                                                                                                                                                                                                  • Instruction ID: a2bd277a4b7f40a52b3a8ed2533185d20374e7d42d3334b8be71dadc079887c9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f46a24d586d3eac23d70cf3ba51f92ec4fd720b941ec559e9bc3d3b15f4468d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CD0C936009304ABDB002FE1EC0CA893F38EB4A252F058400F30AC2260CB3144018B71
                                                                                                                                                                                                                  Function 00D43872 Relevance: 4.6, APIs: 3, Instructions: 58networkCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DnsGetCacheDataTableEx.DNSAPI(00000001,00000000,?), ref: 00D43885
                                                                                                                                                                                                                  • DnsFree.DNSAPI(?,00000000), ref: 00D438E8
                                                                                                                                                                                                                  • DnsFree.DNSAPI(?,00000000), ref: 00D438F0
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$CacheDataFormatLocalMessageTable__iob_func
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2186664420-0
                                                                                                                                                                                                                  • Opcode ID: 39202454aa27875cb574fe4b37261bd597af234ede2ce158bf9d3938e7f117bc
                                                                                                                                                                                                                  • Instruction ID: 86b93c44c854efad89967112633dcd168e85af631d0ac6984203d3008e21ffbe
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39202454aa27875cb574fe4b37261bd597af234ede2ce158bf9d3938e7f117bc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F01C871604324ABE720AF59D986E77B3B9EF90F50718482DF49657285DB71AE008670
                                                                                                                                                                                                                  Function 00D44ACA Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D44AFB
                                                                                                                                                                                                                  • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?), ref: 00D44B10
                                                                                                                                                                                                                  • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 00D44B23
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                                                                                                  • Opcode ID: a5bed727263dcd998498bdc0733dc0ab58ead76f44e69f537647f9fbb4a5bad2
                                                                                                                                                                                                                  • Instruction ID: 29a99599c28d5c3ed81dbd19c5064514ff5dd04fefe6918667e77068c8d29a1d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5bed727263dcd998498bdc0733dc0ab58ead76f44e69f537647f9fbb4a5bad2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 230112B5A0430AABDF00DFE1DD85ABEB7B8FB05300F5018A9A512E2281DB70DA04CB71
                                                                                                                                                                                                                  Function 00D426AE Relevance: 1.5, APIs: 1, Instructions: 17timeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00D426B7
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Time$FileSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2086374402-0
                                                                                                                                                                                                                  • Opcode ID: c049e5940e042adb6c52fc8c826b209f12ecfa35ae7d5e490ee190cffda93e66
                                                                                                                                                                                                                  • Instruction ID: c68c0e92caa7983424ad705fdbd67b9b5d3f0e18ab76232dead7c0d880b1db37
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c049e5940e042adb6c52fc8c826b209f12ecfa35ae7d5e490ee190cffda93e66
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70D0A737008325BBCB502F95EC04C86BBA9EF96331310C226F5A491162DF719C1087B0
                                                                                                                                                                                                                  Function 00D453F0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000053A0), ref: 00D453F5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                  • Opcode ID: 8a5e8b3335ee20cc6aa99e011607a5a73c3f2ee4050681cf608df772a678e50a
                                                                                                                                                                                                                  • Instruction ID: e1309e6192f13b3a2ae2ecee6d9b4c72848a0721ea8a011cd76d838ab570f9dd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a5e8b3335ee20cc6aa99e011607a5a73c3f2ee4050681cf608df772a678e50a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED900264256600DBCA002F707D4D40666A45B4D6427D14450A011C4159DBA254085531
                                                                                                                                                                                                                  Function 00D446F8 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 232memorythreadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00D4470F
                                                                                                                                                                                                                  • setlocale.MSVCRT ref: 00D4471B
                                                                                                                                                                                                                  • SetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000), ref: 00D44724
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44C73: fgetpos.MSVCRT ref: 00D44CA8
                                                                                                                                                                                                                    • Part of subcall function 00D44C73: _fileno.MSVCRT ref: 00D44CC2
                                                                                                                                                                                                                    • Part of subcall function 00D44C73: _setmode.MSVCRT ref: 00D44CCA
                                                                                                                                                                                                                    • Part of subcall function 00D44C73: fwprintf.MSVCRT ref: 00D44CD6
                                                                                                                                                                                                                  • exit.MSVCRT ref: 00D447E5
                                                                                                                                                                                                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001100,00000000,000002E4,00000000,?,00000000,00000000), ref: 00D44807
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D44827
                                                                                                                                                                                                                    • Part of subcall function 00D431D0: DnsResolverOp.DNSAPI(00000002,00000000,00000000), ref: 00D431D9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FormatFreeHeapInformationLanguageLocalMessageResolverThread__iob_func_fileno_setmodeexitfgetposfwprintfsetlocale
                                                                                                                                                                                                                  • String ID: all$allcompartments$debug$displaydns$flushdns$registerdns$release$release6$renew$renew6$setclassid$setclassid6$showclassid$showclassid6
                                                                                                                                                                                                                  • API String ID: 1456437472-1517225019
                                                                                                                                                                                                                  • Opcode ID: 9b5b477802865f68a79496c665bcecb7e8cf54ee7fcb893ba93946c817714cdf
                                                                                                                                                                                                                  • Instruction ID: 7fa2e5465badeda33a3df0e460e0fade2c5640c15052cfd997025af88b1d73b3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b5b477802865f68a79496c665bcecb7e8cf54ee7fcb893ba93946c817714cdf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B18158795083819B8721EF20D886A6FB7F4EBC1764F28491EF49257281DB70C985DF72
                                                                                                                                                                                                                  Function 00D44D35 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 124memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • fflush.MSVCRT ref: 00D44D51
                                                                                                                                                                                                                    • Part of subcall function 00D44B41: _fileno.MSVCRT ref: 00D44B4C
                                                                                                                                                                                                                    • Part of subcall function 00D44B41: _get_osfhandle.MSVCRT ref: 00D44B53
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44D71
                                                                                                                                                                                                                  • _setmode.MSVCRT ref: 00D44D79
                                                                                                                                                                                                                  • wcschr.MSVCRT ref: 00D44D9C
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44DC2
                                                                                                                                                                                                                  • _setmode.MSVCRT ref: 00D44DCA
                                                                                                                                                                                                                  • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D44DE8
                                                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00D44DF8
                                                                                                                                                                                                                  • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00D44E16
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44E23
                                                                                                                                                                                                                  • _write.MSVCRT ref: 00D44E2B
                                                                                                                                                                                                                  • fwprintf.MSVCRT ref: 00D44E3C
                                                                                                                                                                                                                  • fflush.MSVCRT ref: 00D44E46
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44E4F
                                                                                                                                                                                                                  • _setmode.MSVCRT ref: 00D44E57
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00D44E64
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: _fileno$_setmode$ByteCharLocalMultiWidefflush$AllocFree_get_osfhandle_writefwprintfwcschr
                                                                                                                                                                                                                  • String ID: %ls
                                                                                                                                                                                                                  • API String ID: 2233937912-3246610740
                                                                                                                                                                                                                  • Opcode ID: 89098949d383b4abeb690d811ab4ba562e40545e02be771f068cc9be538ce333
                                                                                                                                                                                                                  • Instruction ID: cb39182c477c753de92e725b31201c3eaa20ce32ae8334f269f7cc81d6f48f85
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89098949d383b4abeb690d811ab4ba562e40545e02be771f068cc9be538ce333
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2318EB6908314FFEB025FA4EC09FAE7B78EF46321F244069F611E1290EF7489418A74
                                                                                                                                                                                                                  Function 00D422FA Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00D42340
                                                                                                                                                                                                                  • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00D423D3
                                                                                                                                                                                                                  • RtlStringFromGUID.NTDLL(?,?), ref: 00D423EC
                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000001), ref: 00D4241A
                                                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?), ref: 00D4243B
                                                                                                                                                                                                                    • Part of subcall function 00D42260: memset.MSVCRT ref: 00D4228A
                                                                                                                                                                                                                    • Part of subcall function 00D42260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00D422DF
                                                                                                                                                                                                                  • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,00000001,?,00000000,00000002,?), ref: 00D42491
                                                                                                                                                                                                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D4249D
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00D424AD
                                                                                                                                                                                                                  • DhcpHandlePnPEvent.DHCPCSVC(00000000,00000001,?,?,00000000), ref: 00D424C9
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?), ref: 00D42524
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeStringmemset$Unicode$CloseConvertDhcpEventFormatFromGuidHandleInterfaceLocalLuidMessageOpenValue__iob_funcmemcpy
                                                                                                                                                                                                                  • String ID: DhcpClassId$PI^v$p<sw
                                                                                                                                                                                                                  • API String ID: 4056406669-3072822946
                                                                                                                                                                                                                  • Opcode ID: ed4023ce976df0692993308a29772a50b323c9d98ad6f200278a90a47672060b
                                                                                                                                                                                                                  • Instruction ID: b8704534298160dc54f32823eb9c0d89962fafa73e79fb8cc3fdf30da2ca3948
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed4023ce976df0692993308a29772a50b323c9d98ad6f200278a90a47672060b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5961C476A00308AFDB209F64DC95BBBB3B9EB89300F4444A9F54AE7251DA70DD858B71
                                                                                                                                                                                                                  Function 00D42C9B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 184registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00D42D48
                                                                                                                                                                                                                  • RtlStringFromGUID.NTDLL(?,?), ref: 00D42D5E
                                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000050), ref: 00D42D83
                                                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?), ref: 00D42DA2
                                                                                                                                                                                                                    • Part of subcall function 00D42C01: memset.MSVCRT ref: 00D42C2B
                                                                                                                                                                                                                    • Part of subcall function 00D42C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00D42C80
                                                                                                                                                                                                                  • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,00000001,?,00000000,00000002,?), ref: 00D42DED
                                                                                                                                                                                                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D42DF6
                                                                                                                                                                                                                  • Dhcpv6SetUserClass.DHCPCSVC6(?,?,?), ref: 00D42E16
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?), ref: 00D42E6F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeString$Unicode$ClassCloseConvertDhcpv6FormatFromGuidInterfaceLocalLuidMessageOpenUserValue__iob_funcmemcpymemset
                                                                                                                                                                                                                  • String ID: Dhcpv6ClassId$PI^v$p<sw
                                                                                                                                                                                                                  • API String ID: 3741014365-1619846280
                                                                                                                                                                                                                  • Opcode ID: aaa5ec911cecf59664f903c04882176cef33afba2d01d8f1312f2ca68e6684ab
                                                                                                                                                                                                                  • Instruction ID: 5d2f4b43022d5362045ef3f680cce0c24b6d294786ac4c22034136306173bba2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaa5ec911cecf59664f903c04882176cef33afba2d01d8f1312f2ca68e6684ab
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF51EA35A006049BDB249FA8DC85ABF77B5FF84710F98453EF946D7251DB7098418B70
                                                                                                                                                                                                                  Function 03152890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                                                  • Opcode ID: 8d3b71a1fd68c1c9ad0f2a5e4565407312bb54514cc20f82f8d8e5c000a7ba4d
                                                                                                                                                                                                                  • Instruction ID: f773bdf3c94596a48c0326fd67dbb453ac9614ac5ff0c04e30797c1778151975
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d3b71a1fd68c1c9ad0f2a5e4565407312bb54514cc20f82f8d8e5c000a7ba4d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC51E4B6A04216BFCB14DB98899097EF7F8BF0D200B14866AF8B5D7641D374DE518BE0
                                                                                                                                                                                                                  Function 031C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                                                  • Opcode ID: 325e3a92d901412ebf33ad4b398faec2c0e5ce14d90fbf770676a7ef3fb369e8
                                                                                                                                                                                                                  • Instruction ID: 940b712ab6375999be9cae48bbd428f08d18698902a740fe6d917fccf98541bf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 325e3a92d901412ebf33ad4b398faec2c0e5ce14d90fbf770676a7ef3fb369e8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E51F475A14685AFCF30DE9CC8908BFF7B9AB5C201B048C9EE4A5D7682D7B4DA41C760
                                                                                                                                                                                                                  Function 00D44BBC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00D44BE2
                                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00D44C03
                                                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00D44C1E
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                                                                                                                  • String ID: Ansi$OutputEncoding$UTF-8$UTF8$Unicode
                                                                                                                                                                                                                  • API String ID: 198002717-1479523454
                                                                                                                                                                                                                  • Opcode ID: 38fa50d4cbaeee5b4fb4d7d55d029faf5fdb52366f1866f38fa3dd4161b34be6
                                                                                                                                                                                                                  • Instruction ID: b280c51a33c224dd16c304d91f0aebfec95fbdb3b9b637c51025eda3f368dc70
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38fa50d4cbaeee5b4fb4d7d55d029faf5fdb52366f1866f38fa3dd4161b34be6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2611A73D605306EFDF149F20DC96BA577E8EF46321F680459F581D6180EBB0D9848A35
                                                                                                                                                                                                                  Function 00D4419B Relevance: 16.7, APIs: 11, Instructions: 165memorynetworkCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000001,?,?), ref: 00D441CF
                                                                                                                                                                                                                  • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000002,?,?), ref: 00D44212
                                                                                                                                                                                                                  • GetNetworkParams.IPHLPAPI(00000000,?), ref: 00D44249
                                                                                                                                                                                                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D44260
                                                                                                                                                                                                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D44267
                                                                                                                                                                                                                  • GetNetworkParams.IPHLPAPI(00000000,?), ref: 00D4427F
                                                                                                                                                                                                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D442FE
                                                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D44305
                                                                                                                                                                                                                  • DnsQueryConfigAllocEx.DNSAPI(00010003,00000000,00000000), ref: 00D44312
                                                                                                                                                                                                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00D4433D
                                                                                                                                                                                                                  • DnsFreeConfigStructure.DNSAPI(00000000,00010003), ref: 00D44381
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Heap$AllocComputerConfigFreeNameNetworkParamsProcess$ByteCharMultiQueryStructureWide
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3728844974-0
                                                                                                                                                                                                                  • Opcode ID: 56e02e16d15e7c8bbba68a9e984ea6f0265e8184c2815ec892805596d9f486a5
                                                                                                                                                                                                                  • Instruction ID: 051bdea436e09c2cea8c11512d72075c6e071affa5ca319740a19fb746fbb95d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56e02e16d15e7c8bbba68a9e984ea6f0265e8184c2815ec892805596d9f486a5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D651A1B6904315AFE721AF60EC8DFAB73BCEB44B10F140469F555E6192DB709D808B70
                                                                                                                                                                                                                  Function 03147630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03184742
                                                                                                                                                                                                                  • Execute=1, xrefs: 03184713
                                                                                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 03184787
                                                                                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03184725
                                                                                                                                                                                                                  • ExecuteOptions, xrefs: 031846A0
                                                                                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 031846FC
                                                                                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03184655
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                                                                                  • Opcode ID: e2d8d0a321584c941093cd8569d2dc9957d961f694e6b995a88ab73025ed270d
                                                                                                                                                                                                                  • Instruction ID: 51324182014574b730013f61edd72535c95d4326331c75c688ce726c8c7a1f54
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2d8d0a321584c941093cd8569d2dc9957d961f694e6b995a88ab73025ed270d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2512735A00319BFEF14EBA5DC99BAD77ADEF0C300F040099E525AB1C1DB709A858F50
                                                                                                                                                                                                                  Function 00D44C73 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00D44B41: _fileno.MSVCRT ref: 00D44B4C
                                                                                                                                                                                                                    • Part of subcall function 00D44B41: _get_osfhandle.MSVCRT ref: 00D44B53
                                                                                                                                                                                                                    • Part of subcall function 00D44BBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00D44BE2
                                                                                                                                                                                                                    • Part of subcall function 00D44BBC: _wcsicmp.MSVCRT ref: 00D44C03
                                                                                                                                                                                                                  • fgetpos.MSVCRT ref: 00D44CA8
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44CC2
                                                                                                                                                                                                                  • _setmode.MSVCRT ref: 00D44CCA
                                                                                                                                                                                                                  • fwprintf.MSVCRT ref: 00D44CD6
                                                                                                                                                                                                                  • fgetpos.MSVCRT ref: 00D44CEF
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44D09
                                                                                                                                                                                                                  • _setmode.MSVCRT ref: 00D44D11
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44D21
                                                                                                                                                                                                                  • _write.MSVCRT ref: 00D44D29
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: _fileno$_setmodefgetpos$EnvironmentVariable_get_osfhandle_wcsicmp_writefwprintf
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2328354365-0
                                                                                                                                                                                                                  • Opcode ID: 97271cc2f169081fa128771f5c564500cae6570ad51479983678b43a6ddb6248
                                                                                                                                                                                                                  • Instruction ID: 17b601b3acb9e45b706b5467f037ec89c7c96dc98a66831f263559905028c02f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97271cc2f169081fa128771f5c564500cae6570ad51479983678b43a6ddb6248
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A118279D45304FFEB14AF60EC1ABEEB7B8EF02315B144855F641D2180EB70AA85CA75
                                                                                                                                                                                                                  Function 00D429AC Relevance: 10.6, APIs: 7, Instructions: 149memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00D429FD
                                                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000400), ref: 00D42A16
                                                                                                                                                                                                                  • Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00D42A38
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00D42A49
                                                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00D42A54
                                                                                                                                                                                                                  • Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00D42A6E
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00D42AEA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$AllocClassesDhcpv6FreeUser$ConvertInterfaceLuidName
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1150267431-0
                                                                                                                                                                                                                  • Opcode ID: 80cc9bd5182d56d7b4a2fdd514662788031e9091b0ff7d3fe40fa65b47e0aa68
                                                                                                                                                                                                                  • Instruction ID: 842d6b4f193804f793ef4e971eb4bae5dc1fc2360b5efbf1ddcfb440c15bb74e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80cc9bd5182d56d7b4a2fdd514662788031e9091b0ff7d3fe40fa65b47e0aa68
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93416F76E40309AFDB11EFE4D886BAEB778FF58710F580025F905AB285DB7099458BB0
                                                                                                                                                                                                                  Function 00D44F63 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00D457D0,0000000C), ref: 00D44FA0
                                                                                                                                                                                                                  • _amsg_exit.MSVCRT ref: 00D44FB5
                                                                                                                                                                                                                  • _initterm.MSVCRT ref: 00D45009
                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D45035
                                                                                                                                                                                                                  • exit.MSVCRT ref: 00D4507C
                                                                                                                                                                                                                  • _XcptFilter.MSVCRT ref: 00D4508E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 796493780-0
                                                                                                                                                                                                                  • Opcode ID: 3343b0593154f01f939d26caf88b1ccf22ceeac0f8f2e99f5add941b2beaffce
                                                                                                                                                                                                                  • Instruction ID: eefe7b95f97e7ff99f97d2b2dbe6e471d004ff3a79e6605bf9fbcbb99154f94c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3343b0593154f01f939d26caf88b1ccf22ceeac0f8f2e99f5add941b2beaffce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3319E79A04B51DFDB259F64EC097697BA0FB0BB21F140129F502D77A2DB708C849AB2
                                                                                                                                                                                                                  Function 00D44B41 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • _fileno.MSVCRT ref: 00D44B4C
                                                                                                                                                                                                                  • _get_osfhandle.MSVCRT ref: 00D44B53
                                                                                                                                                                                                                  • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,0000054F,00000000,00002908), ref: 00D44B69
                                                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D44B75
                                                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D44B7F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$FileType_fileno_get_osfhandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3475475711-0
                                                                                                                                                                                                                  • Opcode ID: 5ccab82a50f9ec38e18fbe6b6b0844c8687af7db9d7ece6679ca95212f213541
                                                                                                                                                                                                                  • Instruction ID: 31113cfd5cff594effd1b2927c9e05a5ec0b0593fd46ef9eea8a1eb76879f062
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ccab82a50f9ec38e18fbe6b6b0844c8687af7db9d7ece6679ca95212f213541
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6301A23A609340AB97315FB5AC48B6B36ACD7823B13290561E946C2290EF20CC849570
                                                                                                                                                                                                                  Function 0315B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                  • Instruction ID: 0f1d8a2572f64f9e8eb2bfeb3e619c4dc3d8e68a5ba21a6e5c1990cd5a19fdba
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE816B74A0A249DFDF28CF68C8917AEBBA6AF49210F18C159FC71A72D1C73499808B50
                                                                                                                                                                                                                  Function 031C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                                                                                  • Opcode ID: d64af76a5c40d5d95422508ffcfdd739864b0de277376ddbd5dd9bf0d5dbff5a
                                                                                                                                                                                                                  • Instruction ID: d0efaebab43352f6220b5047df3874cff93353cbc74fdcdd56794469b6ca7229
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d64af76a5c40d5d95422508ffcfdd739864b0de277376ddbd5dd9bf0d5dbff5a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20216576A10259ABCF11DFB9DC40AEEB7F8EF5C644F08051AE915D7240E770D9028BA1
                                                                                                                                                                                                                  Function 00D42003 Relevance: 7.6, APIs: 5, Instructions: 150memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00D42054
                                                                                                                                                                                                                  • DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00D42071
                                                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00D420AC
                                                                                                                                                                                                                  • DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00D420CC
                                                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00D4214C
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ClassesDhcpEnumLocal$AllocConvertFreeInterfaceLuidName
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3187720636-0
                                                                                                                                                                                                                  • Opcode ID: e0e13fddff2964c0b2996c18f3fa33eac0203003e9a94e7550309a936af37a16
                                                                                                                                                                                                                  • Instruction ID: d055e88ff2f69085d81021621bc9823ffc6c4d366a82ce330bc9353aeefe456a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0e13fddff2964c0b2996c18f3fa33eac0203003e9a94e7550309a936af37a16
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76417376E00308AFDB14AFE4DD85AAEB779EF54750F580025FA05AB285DB70DC458BB0
                                                                                                                                                                                                                  Function 00D44634 Relevance: 7.6, APIs: 5, Instructions: 78threadmemoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentThreadCompartmentId.IPHLPAPI ref: 00D44641
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  • NsiAllocateAndGetTable.NSI(00000001,00D41350,00000007,?,00000004,?,00000668,00000000,00000000,00000000,00000000,?,00000001), ref: 00D4468B
                                                                                                                                                                                                                  • SetCurrentThreadCompartmentId.IPHLPAPI(?), ref: 00D446A7
                                                                                                                                                                                                                  • SetCurrentThreadCompartmentId.IPHLPAPI(00000000), ref: 00D446DF
                                                                                                                                                                                                                  • NsiFreeTable.NSI(?,?,00000000,00000000), ref: 00D446ED
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CompartmentCurrentThread$FreeTable$AllocateFormatLocalMessage__iob_func
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4019950967-0
                                                                                                                                                                                                                  • Opcode ID: 27e8e1b6bcbfa49ea981a33380465a4fc9363f3bc0d6c3ea24618ba8909e70b9
                                                                                                                                                                                                                  • Instruction ID: 4906d1b5c1cb4a0a429b95c32d16a60598667d940dac370ab9ca7ae6a484b10a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 27e8e1b6bcbfa49ea981a33380465a4fc9363f3bc0d6c3ea24618ba8909e70b9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8911A275A01218BFD720ABA5DC0AFEF7F78EF42B60F050064F504AB191DAB19944C7B0
                                                                                                                                                                                                                  Function 00D43096 Relevance: 7.6, APIs: 5, Instructions: 61timeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D430B1
                                                                                                                                                                                                                  • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00D430BF
                                                                                                                                                                                                                  • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00D430D9
                                                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00D430E5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Time$File$DateErrorFormatLastLocalSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1951311907-0
                                                                                                                                                                                                                  • Opcode ID: a0c201fbf39ffccb63874a5daf6b6d194a4b518f0f38059b335af7e4d28940a9
                                                                                                                                                                                                                  • Instruction ID: 663c05351aa342e95b48b9d7312baf502580803f8a96bc7c8b9b68c1b4d77c53
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0c201fbf39ffccb63874a5daf6b6d194a4b518f0f38059b335af7e4d28940a9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80117075605309ABEB248FA59C0AFFF7BBCEB49750F000125F602E6280DA60D9458A70
                                                                                                                                                                                                                  Function 00D45615 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00D45642
                                                                                                                                                                                                                  • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D45651
                                                                                                                                                                                                                  • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D4565A
                                                                                                                                                                                                                  • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00D45663
                                                                                                                                                                                                                  • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00D45678
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                                                                                  • Opcode ID: 6b60dc81f8466587868650948edf2538bd5c9a288bae59ba1a62b40eb670434c
                                                                                                                                                                                                                  • Instruction ID: 086d2c3d80b883e2c391fedc2a2a2fa8828deba760d6937c6801378c7afb976b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b60dc81f8466587868650948edf2538bd5c9a288bae59ba1a62b40eb670434c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03110679D05308EBCB10DFB8E94869EBBF5EF5A310FA54865E402E7314E7309A008B60
                                                                                                                                                                                                                  Function 0313F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 0318031E
                                                                                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031802BD
                                                                                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031802E7
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                                                                                  • Opcode ID: a21e92ec14714482bdd2dd67f910b56459c6d1897e453e964e0e7f2e61ba74ca
                                                                                                                                                                                                                  • Instruction ID: 34000c70792e07f38c4dbd156e03f2e05026c2d3996cca502f2a4ca5d97411bf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a21e92ec14714482bdd2dd67f910b56459c6d1897e453e964e0e7f2e61ba74ca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54E1BF74A04745EFD724DF28C884B2AB7E1BB4D324F180A5DF5A58B2E1D774D88ACB42
                                                                                                                                                                                                                  Function 0314BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 03187BAC
                                                                                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03187B7F
                                                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 03187B8E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                                                                                  • Opcode ID: 77ff7fff003b230f3e04d30462466ea8a48768cf3fb7a6c6c68771d07a52e057
                                                                                                                                                                                                                  • Instruction ID: a623dc1eb5ad1d2c631c8ed90e10cbc80bf4c3831f5d0fdc363cb8c0c8e6cbdc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77ff7fff003b230f3e04d30462466ea8a48768cf3fb7a6c6c68771d07a52e057
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F41D0353097029FDB24DF29C840B6AB7E6EF8C711F144A1DF99ADB680DB31E8458B91
                                                                                                                                                                                                                  Function 0314B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0318728C
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03187294
                                                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 031872C1
                                                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 031872A3
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                                                                                  • Opcode ID: b5825096e413bc4b3e51bdf2b052ae0a16795796bae95e7925608855b5ff8aba
                                                                                                                                                                                                                  • Instruction ID: 688a1b5380f12e6e4c4c1ee1fdd9fc825296b58eeeca5a488880678e9b444f3e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5825096e413bc4b3e51bdf2b052ae0a16795796bae95e7925608855b5ff8aba
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841F235704206AFDB20EF25CC41B6AB7A6FF4C710F284619F995EB680DB31E8528BD5
                                                                                                                                                                                                                  Function 031C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                                                                                  • Opcode ID: 4d53c0cdbf37f4fb93be5db0f0aa9457b4bfc46b49f5f482ae9ebb4a60e48cb9
                                                                                                                                                                                                                  • Instruction ID: 90f9cbbbbb53fb12985cebeb88df0b446201548746fca8caef21527d3b7f3419
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d53c0cdbf37f4fb93be5db0f0aa9457b4bfc46b49f5f482ae9ebb4a60e48cb9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C318876A102599FCF20DF29CC40BEEB7B8EB5C610F44499AE849D7140EB309A55CB60
                                                                                                                                                                                                                  Function 00D42B49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00D42B76
                                                                                                                                                                                                                  • ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00D42B8D
                                                                                                                                                                                                                    • Part of subcall function 00D42C01: memset.MSVCRT ref: 00D42C2B
                                                                                                                                                                                                                    • Part of subcall function 00D42C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00D42C80
                                                                                                                                                                                                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,?,?,00000200,00000001,?), ref: 00D42BCE
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
                                                                                                                                                                                                                  • String ID: Dhcpv6ClassId
                                                                                                                                                                                                                  • API String ID: 2135874933-1235502083
                                                                                                                                                                                                                  • Opcode ID: 74ee07c82cf4ddd3a3f2b57ce65f7030eab89c518090df220b296cd265bf0001
                                                                                                                                                                                                                  • Instruction ID: c4771ed6672b46b078146185ed005f79ea6d85e43de664d680770b51aefeb44a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74ee07c82cf4ddd3a3f2b57ce65f7030eab89c518090df220b296cd265bf0001
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77112E71A0420CABDB10DFA0DC8DFEA73BCEB04744F4441A5B509E6195EB71AA888B74
                                                                                                                                                                                                                  Function 00D421A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00D421D5
                                                                                                                                                                                                                  • ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00D421EC
                                                                                                                                                                                                                    • Part of subcall function 00D42260: memset.MSVCRT ref: 00D4228A
                                                                                                                                                                                                                    • Part of subcall function 00D42260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00D422DF
                                                                                                                                                                                                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,?,?,00000200,00000001,?), ref: 00D4222D
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
                                                                                                                                                                                                                  • String ID: DhcpClassId
                                                                                                                                                                                                                  • API String ID: 2135874933-3964061114
                                                                                                                                                                                                                  • Opcode ID: 221dc3300f8fd170db617788334a3d4d46c1a69bc56f8247696c6276ecfe1709
                                                                                                                                                                                                                  • Instruction ID: 17ec0a1949cdacc6fda64890e7f8920102e884ad1df6b97c74e30b953248e96b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 221dc3300f8fd170db617788334a3d4d46c1a69bc56f8247696c6276ecfe1709
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C011217190461CABDB10EFA0DC8DFEA77BCEB44704F4401A5B509E6191EBB19A89CF74
                                                                                                                                                                                                                  Function 00D42260 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00D4228A
                                                                                                                                                                                                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00D422DF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\, xrefs: 00D42291
                                                                                                                                                                                                                  • 0m^vPI^v, xrefs: 00D422DF
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Openmemset
                                                                                                                                                                                                                  • String ID: 0m^vPI^v$SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
                                                                                                                                                                                                                  • API String ID: 180050240-3376735869
                                                                                                                                                                                                                  • Opcode ID: 6805886c53b75487f39bc615ccc13335960935db59df3c81278c77f374daf6aa
                                                                                                                                                                                                                  • Instruction ID: a170f95d39b36716edcdf68498f134ff18c499e8da766c60b80c7b728f9f02c4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6805886c53b75487f39bc615ccc13335960935db59df3c81278c77f374daf6aa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7301D872600318BBE714EB15EC47FBA73ACEB54714F504065F905DA1C2DAB0EE44CA74
                                                                                                                                                                                                                  Function 00D42C01 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00D42C2B
                                                                                                                                                                                                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00D42BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00D42C80
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\, xrefs: 00D42C32
                                                                                                                                                                                                                  • 0m^vPI^v, xrefs: 00D42C80
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Openmemset
                                                                                                                                                                                                                  • String ID: 0m^vPI^v$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
                                                                                                                                                                                                                  • API String ID: 180050240-3761362698
                                                                                                                                                                                                                  • Opcode ID: 58cf2e2912919073851fcf9187cf39ad987601a3ea24afe90cc077eb44b4e18c
                                                                                                                                                                                                                  • Instruction ID: 964c2f7b95627dc3f5b6338fa155915864541bbf513d4cf11d189b275cef95f4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58cf2e2912919073851fcf9187cf39ad987601a3ea24afe90cc077eb44b4e18c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F20124B2200319ABE710EB24DD47FBE73ACEB11314F908065FA05EB1C2DA70EE448A70
                                                                                                                                                                                                                  Function 00D41D1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(dhcpcsvc.dll,00000000,00000000,00D42577,00000001), ref: 00D41D26
                                                                                                                                                                                                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,DhcpIsEnabled), ref: 00D41D3B
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                  • String ID: DhcpIsEnabled$dhcpcsvc.dll
                                                                                                                                                                                                                  • API String ID: 2574300362-2583171064
                                                                                                                                                                                                                  • Opcode ID: 5db590516cf928a864ef5ff96f4a90eaf5f80f664ac77f478f033b6eb19c8193
                                                                                                                                                                                                                  • Instruction ID: e2aa5db8dce30890e8af3bbec9aebaef934db376008cc45f7236bc897c2af0e8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5db590516cf928a864ef5ff96f4a90eaf5f80f664ac77f478f033b6eb19c8193
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CD09EBCA44742BBDB101FB15C1DB563AA4A713B81F580455E912EA7D1DB74D084DA32
                                                                                                                                                                                                                  Function 00D42749 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • ConvertInterfaceLuidToNameW.IPHLPAPI(?,00000002,00000020), ref: 00D427D1
                                                                                                                                                                                                                  • NsiSetAllParameters.NSI(00000001,00000005,00D41368,00000019,?,00000008,00000000,00000000), ref: 00D427ED
                                                                                                                                                                                                                  • Dhcpv6IsEnabled.DHCPCSVC6(00000002,?), ref: 00D42801
                                                                                                                                                                                                                  • Dhcpv6AcquireParameters.DHCPCSVC6(00000002), ref: 00D42817
                                                                                                                                                                                                                    • Part of subcall function 00D45769: __iob_func.MSVCRT ref: 00D4576E
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00D41EB0,00000000,00002908), ref: 00D44E96
                                                                                                                                                                                                                    • Part of subcall function 00D44E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00D41EB0,00000000,00002908), ref: 00D44EAE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Dhcpv6Parameters$AcquireConvertEnabledFormatFreeInterfaceLocalLuidMessageName__iob_func
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1181060623-0
                                                                                                                                                                                                                  • Opcode ID: bcaace577b94eaed5c59a1b4eb353dffd0fd6ef7dd2a0b84adf6748afaea115e
                                                                                                                                                                                                                  • Instruction ID: cced5eb7bea08cbea8dbe7efd84a9192ec1833a1149580e8bee8f2fa4a770b05
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bcaace577b94eaed5c59a1b4eb353dffd0fd6ef7dd2a0b84adf6748afaea115e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B231B535A407089FDB219BA59985ABFB3B9FF98710F980029F942A7391DB70EC05C670
                                                                                                                                                                                                                  Function 00D44EC0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00D45478: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00D4547F
                                                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 00D44ED2
                                                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 00D44EE8
                                                                                                                                                                                                                  • __p__commode.MSVCRT ref: 00D44EF6
                                                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 00D44F17
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769037540.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769037540.0000000000D47000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_d40000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1632413811-0
                                                                                                                                                                                                                  • Opcode ID: 1e146256f94abd834b249af42f4350360fabcc21cb4ff4e3b3b88372888806ce
                                                                                                                                                                                                                  • Instruction ID: daf818ccb2e86cd157786627c9a43428c6e2dbe564ad1bc070557b618da945f5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e146256f94abd834b249af42f4350360fabcc21cb4ff4e3b3b88372888806ce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44F0F278404B408FDB28AF30BC4E6183B70FB47726B155A19E426C63E6DB76D4808A31
                                                                                                                                                                                                                  Function 03157D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                                                  • String ID: +$-
                                                                                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                  • Instruction ID: c6eb7a9c5918d74c7532f635c94138afd61b70418a4804d69b205c3e7e1009b6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC918E71E40216DBDB24DF69C882ABEB7A5EF48720F58451AFC75E72C0D73099818B50
                                                                                                                                                                                                                  Function 03119126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000006.00000002.3769604243.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.0000000003209000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000320D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000006.00000002.3769604243.000000000327E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_30e0000_ipconfig.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $$@
                                                                                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                                                                                  • Opcode ID: 01581a9bacd3d2f9b39f25a2c5a40acca4743dd426ca47bbebd420b91175fd1e
                                                                                                                                                                                                                  • Instruction ID: 2b2ad8d72eb814b3061058b4694d22d5dd7b7f067cb9183142a0924d140c82ad
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01581a9bacd3d2f9b39f25a2c5a40acca4743dd426ca47bbebd420b91175fd1e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95816A75D002699BDB35DB54CC44BEEB7B8AF08710F0445EAE919B7280E7309E95CFA0