Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TaojCblZKXL9OpS.exe

Overview

General Information

Sample name:TaojCblZKXL9OpS.exe
Analysis ID:1538502
MD5:3ba3c27ef00f1a033b232e701cdb8ea0
SHA1:589db22d12e2e2a27f309f4532405daa82e03f2f
SHA256:077cd5cb67798a07fa0c12e910783027f4e336a763dbbb5a82de449aef58bb51
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64native
  • TaojCblZKXL9OpS.exe (PID: 4776 cmdline: "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe" MD5: 3BA3C27EF00F1A033B232E701CDB8EA0)
    • TaojCblZKXL9OpS.exe (PID: 2248 cmdline: "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe" MD5: 3BA3C27EF00F1A033B232E701CDB8EA0)
      • RAVCpl64.exe (PID: 4172 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • cleanmgr.exe (PID: 4676 cmdline: "C:\Windows\SysWOW64\cleanmgr.exe" MD5: B33DBB516108EF7C37B99BA93DD25370)
          • explorer.exe (PID: 4928 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c290:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c290:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 4 entries
        SourceRuleDescriptionAuthorStrings
        2.2.TaojCblZKXL9OpS.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.TaojCblZKXL9OpS.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e5b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f3b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: TaojCblZKXL9OpS.exeAvira: detected
            Source: TaojCblZKXL9OpS.exeReversingLabs: Detection: 54%
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: TaojCblZKXL9OpS.exeJoe Sandbox ML: detected
            Source: TaojCblZKXL9OpS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: TaojCblZKXL9OpS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: TaojCblZKXL9OpS.exe, TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 4x nop then mov ebx, 00000004h9_2_049804E0
            Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
            Source: explorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
            Source: explorer.exe, 0000000A.00000000.361692090970.0000000002A60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364922834638.00000000096A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364924468408.000000000A0A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: explorer.exe, 0000000A.00000000.361696252881.0000000009064000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364919638744.0000000009064000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
            Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/e
            Source: explorer.exe, 0000000A.00000000.361696608667.00000000090F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.00000000090F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?5u
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=3C188734586C431BAF5C248940644D08&timeOut=5000&oc
            Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.png
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.svg
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W33_Clea
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BR
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BR-dark
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-dark
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyR
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyR-dark
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvS
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvS-dark
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comeB
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/am
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15YhMq.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l1LqV.img
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMzyrj.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUzf9j.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10YNbC.img
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1nPsFu.img
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB4kwAp.img
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://imgized.net
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=278807d9-9673-45f6-bf59-da37
            Source: explorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.commber:Oct:Oct
            Source: explorer.exe, 0000000A.00000002.364930107759.000000000CE56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700866168.000000000CE56000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.come
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/careers/top-10-most-common-jobs-hispanic-and-latino-scientists-and-engineers
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/food-drink/states-highest-concentration-restaurants
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://th.RMS.fae8%H
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comembe
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bls.gov/news.release/cpi.t02.htm
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cnn.com/2024/03/13/business/mcdonalds-inflation-low-income-consumers/index.html
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/news/nhtsa-wants-pedestrians-protected-from-big-nose-trucks-and-suvs
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddri0
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/bipolar-disorder-and-alcohol-here-s-how-to-embrace-sobriety/a
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/the-1-fast-food-chain-in-the-us-isn-t-mcdonald-s-according
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/the-solid-state-batteries-hype-is-fading-prompting-auto-gi
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/the-31-best-halloween-movies-of-all-time/ss-AA1rIoyK
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/donald-trump-visits-pennsylvania-mcdonald-s-alleges-without-
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-repeats-enemy-from-within-comment-targeting-pelosi-and
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/hubble-telescope-sees-stellar-volcano-erupt-in-amazing-col
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/scatter-and-survive-inside-a-u-s-military-shift-to-deny-china-big-
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/israel-killed-sinwar-by-forcing-him-from-the-tunnels/ar-AA1sBXI
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/u-s-investigating-intelligence-leak-about-israel-s-plans-for-at
            Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E7B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/cubes2048/cg-9mvd9sprhm6x
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/donald-trump-stops-by-primetime-nfl-matchup-between-the-jets-an
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/jets-vs-steelers-live-updates-score-highlights-from-week-7-sund
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/a-trip-to-italy-s-dying-city-is-like-stepping-into-the-middle-
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/tripideas/the-global-origins-of-town-names-in-every-u-s-state-with-
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/celebrity/groundbreaking-women-in-wrestling-25-pioneers-who-changed-the
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/10-facts-about-breaking-bad-you-probably-didn-t-know/ss-AA1rXbzF
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Modesto%2CCalifornia?loc=eyJsIjoiTW9kZXN0byIsInIiOiJDY
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.qsrmagazine.com/downloads/2022-qsr-50
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.theacsi.org/industries/restaurant/fast-food/
            Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.vox.com/the-goods/2019/6/26/18700762/fast-food-america-adam-chandler-drive-thru-dreams

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0042C603 NtClose,2_2_0042C603
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F34E0 NtCreateMutant,LdrInitializeThunk,2_2_013F34E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2B90 NtFreeVirtualMemory,LdrInitializeThunk,2_2_013F2B90
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2BC0 NtQueryInformationToken,LdrInitializeThunk,2_2_013F2BC0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2A80 NtClose,LdrInitializeThunk,2_2_013F2A80
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2D10 NtQuerySystemInformation,LdrInitializeThunk,2_2_013F2D10
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2EB0 NtProtectVirtualMemory,LdrInitializeThunk,2_2_013F2EB0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F4260 NtSetContextThread,2_2_013F4260
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F4570 NtSuspendThread,2_2_013F4570
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F29F0 NtReadFile,2_2_013F29F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F29D0 NtWaitForSingleObject,2_2_013F29D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F38D0 NtGetContextThread,2_2_013F38D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2B20 NtQueryInformationProcess,2_2_013F2B20
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2B10 NtAllocateVirtualMemory,2_2_013F2B10
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2B00 NtQueryValueKey,2_2_013F2B00
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2B80 NtCreateKey,2_2_013F2B80
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2BE0 NtQueryVirtualMemory,2_2_013F2BE0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2A10 NtWriteFile,2_2_013F2A10
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2AA0 NtQueryInformationFile,2_2_013F2AA0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2AC0 NtEnumerateValueKey,2_2_013F2AC0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2D50 NtWriteVirtualMemory,2_2_013F2D50
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2DA0 NtReadVirtualMemory,2_2_013F2DA0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2DC0 NtAdjustPrivilegesToken,2_2_013F2DC0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2C30 NtMapViewOfSection,2_2_013F2C30
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F3C30 NtOpenProcessToken,2_2_013F3C30
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2C20 NtSetInformationFile,2_2_013F2C20
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2C10 NtOpenProcess,2_2_013F2C10
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2C50 NtUnmapViewOfSection,2_2_013F2C50
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F3C90 NtOpenThread,2_2_013F3C90
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2CF0 NtDelayExecution,2_2_013F2CF0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2CD0 NtEnumerateKey,2_2_013F2CD0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2F30 NtOpenDirectoryObject,2_2_013F2F30
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2F00 NtCreateFile,2_2_013F2F00
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2FB0 NtSetValueKey,2_2_013F2FB0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2E00 NtQueueApcThread,2_2_013F2E00
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2E50 NtCreateSection,2_2_013F2E50
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2E80 NtCreateProcessEx,2_2_013F2E80
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2ED0 NtResumeThread,2_2_013F2ED0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2EC0 NtQuerySection,2_2_013F2EC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62CF0 NtDelayExecution,LdrInitializeThunk,9_2_04C62CF0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62C30 NtMapViewOfSection,LdrInitializeThunk,9_2_04C62C30
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62D10 NtQuerySystemInformation,LdrInitializeThunk,9_2_04C62D10
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62E50 NtCreateSection,LdrInitializeThunk,9_2_04C62E50
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62A80 NtClose,LdrInitializeThunk,9_2_04C62A80
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62BC0 NtQueryInformationToken,LdrInitializeThunk,9_2_04C62BC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62B80 NtCreateKey,LdrInitializeThunk,9_2_04C62B80
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62B90 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04C62B90
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62B00 NtQueryValueKey,LdrInitializeThunk,9_2_04C62B00
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62B10 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04C62B10
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C634E0 NtCreateMutant,LdrInitializeThunk,9_2_04C634E0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C64570 NtSuspendThread,9_2_04C64570
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C64260 NtSetContextThread,9_2_04C64260
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62CD0 NtEnumerateKey,9_2_04C62CD0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62C50 NtUnmapViewOfSection,9_2_04C62C50
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62C10 NtOpenProcess,9_2_04C62C10
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62C20 NtSetInformationFile,9_2_04C62C20
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62DC0 NtAdjustPrivilegesToken,9_2_04C62DC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62DA0 NtReadVirtualMemory,9_2_04C62DA0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62D50 NtWriteVirtualMemory,9_2_04C62D50
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62EC0 NtQuerySection,9_2_04C62EC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62ED0 NtResumeThread,9_2_04C62ED0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62E80 NtCreateProcessEx,9_2_04C62E80
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62EB0 NtProtectVirtualMemory,9_2_04C62EB0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62E00 NtQueueApcThread,9_2_04C62E00
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62FB0 NtSetValueKey,9_2_04C62FB0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62F00 NtCreateFile,9_2_04C62F00
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62F30 NtOpenDirectoryObject,9_2_04C62F30
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C629D0 NtWaitForSingleObject,9_2_04C629D0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C629F0 NtReadFile,9_2_04C629F0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62AC0 NtEnumerateValueKey,9_2_04C62AC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62AA0 NtQueryInformationFile,9_2_04C62AA0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62A10 NtWriteFile,9_2_04C62A10
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62BE0 NtQueryVirtualMemory,9_2_04C62BE0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C62B20 NtQueryInformationProcess,9_2_04C62B20
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C63C90 NtOpenThread,9_2_04C63C90
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C63C30 NtOpenProcessToken,9_2_04C63C30
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C638D0 NtGetContextThread,9_2_04C638D0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498F238 NtQueryInformationProcess,9_2_0498F238
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049936D8 NtSetContextThread,9_2_049936D8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049946ED NtMapViewOfSection,9_2_049946ED
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04994008 NtQueueApcThread,9_2_04994008
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04993CF8 NtResumeThread,9_2_04993CF8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049939E8 NtSuspendThread,9_2_049939E8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04994AB8 NtUnmapViewOfSection,9_2_04994AB8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_055185A00_2_055185A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_055121140_2_05512114
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_05518A200_2_05518A20
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_0551A3D00_2_0551A3D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_05510C880_2_05510C88
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_05518A110_2_05518A11
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_055135F10_2_055135F1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_055116480_2_05511648
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_055116380_2_05511638
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_072221060_2_07222106
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_07226AC00_2_07226AC0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_07222C380_2_07222C38
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_07226AB00_2_07226AB0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CB4000_2_074CB400
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CE4880_2_074CE488
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CB3F00_2_074CB3F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CE0410_2_074CE041
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074C4B480_2_074C4B48
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074C4B580_2_074C4B58
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CFB600_2_074CFB60
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CE8C00_2_074CE8C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_075439A90_2_075439A9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_075447580_2_07544758
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_075400400_2_07540040
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004185F32_2_004185F3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004100632_2_00410063
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040E0E32_2_0040E0E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004023802_2_00402380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0042ECA32_2_0042ECA3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004026402_2_00402640
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040FE432_2_0040FE43
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_00402EB02_2_00402EB0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004167CF2_2_004167CF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004167D32_2_004167D3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF1132_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0140717A2_2_0140717A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148010E2_2_0148010E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145D1302_2_0145D130
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E02_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C51C02_2_013C51C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146E0762_2_0146E076
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B00A02_2_013B00A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F508C2_2_013F508C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014770F12_2_014770F1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CB0D02_2_013CB0D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CE3102_2_013CE310
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147F3302_2_0147F330
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B13802_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147124C2_2_0147124C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AD2EC2_2_013AD2EC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148A5262_2_0148A526
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014775C62_2_014775C6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147F5C92_2_0147F5C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C04452_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142D4802_2_0142D480
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014767572_2_01476757
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C27602_2_013C2760
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CA7602_2_013CA760
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146D6462_2_0146D646
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DC6002_2_013DC600
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E46702_2_013E4670
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145D62C2_2_0145D62C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147A6C02_2_0147A6C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014336EC2_2_014336EC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147F6F62_2_0147F6F6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C06802_2_013C0680
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BC6E02_2_013BC6E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014059C02_2_014059C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BE9A02_2_013BE9A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147E9A62_2_0147E9A6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE8102_2_013EE810
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014358702_2_01435870
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147F8722_2_0147F872
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C38002_2_013C3800
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C98702_2_013C9870
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB8702_2_013DB870
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A68682_2_013A6868
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014608352_2_01460835
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014718DA2_2_014718DA
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014778F32_2_014778F3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D68822_2_013D6882
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014398B22_2_014398B2
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C28C02_2_013C28C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013FDB192_2_013FDB19
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0B102_2_013C0B10
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147FB2E2_2_0147FB2E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01434BC02_2_01434BC0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147EA5B2_2_0147EA5B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147CA132_2_0147CA13
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DFAA02_2_013DFAA0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147FA892_2_0147FA89
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01477D4C2_2_01477D4C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BAD002_2_013BAD00
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0D692_2_013C0D69
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147FD272_2_0147FD27
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2DB02_2_013D2DB0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145FDF42_2_0145FDF4
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C9DD02_2_013C9DD0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146EC4C2_2_0146EC4C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CAC202_2_013CAC20
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147EC602_2_0147EC60
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B0C122_2_013B0C12
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01476C692_2_01476C69
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C3C602_2_013C3C60
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148ACEB2_2_0148ACEB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01447CE82_2_01447CE8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DFCE02_2_013DFCE0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01459C982_2_01459C98
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D8CDF2_2_013D8CDF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147FF632_2_0147FF63
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CCF002_2_013CCF00
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01471FC62_2_01471FC6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C6FE02_2_013C6FE0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147EFBF2_2_0147EFBF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01402E482_2_01402E48
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01460E6D2_2_01460E6D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E0E502_2_013E0E50
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C1EB22_2_013C1EB2
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01479ED22_2_01479ED2
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B2EE82_2_013B2EE8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01470EAD2_2_01470EAD
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C304459_2_04C30445
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CFA5269_2_04CFA526
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEA6C09_2_04CEA6C0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C2C6E09_2_04C2C6E0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C306809_2_04C30680
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C546709_2_04C54670
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C4C6009_2_04C4C600
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE67579_2_04CE6757
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C3A7609_2_04C3A760
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C327609_2_04C32760
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C200A09_2_04C200A0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CDE0769_2_04CDE076
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CF010E9_2_04CF010E
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C3E3109_2_04C3E310
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C48CDF9_2_04C48CDF
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CFACEB9_2_04CFACEB
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CDEC4C9_2_04CDEC4C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE6C699_2_04CE6C69
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEEC609_2_04CEEC60
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C20C129_2_04C20C12
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C3AC209_2_04C3AC20
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CAEC209_2_04CAEC20
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C42DB09_2_04C42DB0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C30D699_2_04C30D69
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C2AD009_2_04C2AD00
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C22EE89_2_04C22EE8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE0EAD9_2_04CE0EAD
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C72E489_2_04C72E48
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C50E509_2_04C50E50
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CD0E6D9_2_04CD0E6D
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C36FE09_2_04C36FE0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEEFBF9_2_04CEEFBF
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C3CF009_2_04C3CF00
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C328C09_2_04C328C0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C468829_2_04C46882
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CCC89F9_2_04CCC89F
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C168689_2_04C16868
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C5E8109_2_04C5E810
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CD08359_2_04CD0835
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C2E9A09_2_04C2E9A0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEE9A69_2_04CEE9A6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEEA5B9_2_04CEEA5B
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CECA139_2_04CECA13
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CA4BC09_2_04CA4BC0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C30B109_2_04C30B10
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C9D4809_2_04C9D480
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CC54909_2_04CC5490
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEF5C99_2_04CEF5C9
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE75C69_2_04CE75C6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CA36EC9_2_04CA36EC
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEF6F69_2_04CEF6F6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CDD6469_2_04CDD646
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CCD62C9_2_04CCD62C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C3B0D09_2_04C3B0D0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE70F19_2_04CE70F1
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C6508C9_2_04C6508C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C351C09_2_04C351C0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C4B1E09_2_04C4B1E0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C7717A9_2_04C7717A
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C1F1139_2_04C1F113
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CCD1309_2_04CCD130
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C1D2EC9_2_04C1D2EC
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE124C9_2_04CE124C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C213809_2_04C21380
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEF3309_2_04CEF330
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CB7CE89_2_04CB7CE8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C4FCE09_2_04C4FCE0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CC9C989_2_04CC9C98
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C33C609_2_04C33C60
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C39DD09_2_04C39DD0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CCFDF49_2_04CCFDF4
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE7D4C9_2_04CE7D4C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEFD279_2_04CEFD27
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE9ED29_2_04CE9ED2
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C31EB29_2_04C31EB2
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE1FC69_2_04CE1FC6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CAFF409_2_04CAFF40
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEFF639_2_04CEFF63
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE18DA9_2_04CE18DA
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CE78F39_2_04CE78F3
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CA98B29_2_04CA98B2
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C398709_2_04C39870
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C4B8709_2_04C4B870
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CA58709_2_04CA5870
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEF8729_2_04CEF872
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C338009_2_04C33800
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C759C09_2_04C759C0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEFA899_2_04CEFA89
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C4FAA09_2_04C4FAA0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CC1B809_2_04CC1B80
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C6DB199_2_04C6DB19
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04CEFB2E9_2_04CEFB2E
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498F2389_2_0498F238
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498E5039_2_0498E503
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498E3E89_2_0498E3E8
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498E3E49_2_0498E3E4
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498E8A09_2_0498E8A0
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498D9089_2_0498D908
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498CBB39_2_0498CBB3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: String function: 0143EF10 appears 105 times
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: String function: 013AB910 appears 268 times
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: String function: 01407BE4 appears 96 times
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: String function: 0142E692 appears 86 times
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: String function: 013F5050 appears 36 times
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: String function: 04C65050 appears 57 times
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: String function: 04C1B910 appears 275 times
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: String function: 04C9E692 appears 86 times
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: String function: 04C77BE4 appears 100 times
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: String function: 04CAEF10 appears 105 times
            Source: TaojCblZKXL9OpS.exe, 00000000.00000002.359952196490.00000000077E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TaojCblZKXL9OpS.exe
            Source: TaojCblZKXL9OpS.exe, 00000000.00000002.359951569611.0000000007330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs TaojCblZKXL9OpS.exe
            Source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.00000000014AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TaojCblZKXL9OpS.exe
            Source: TaojCblZKXL9OpS.exeBinary or memory string: OriginalFilenamebbR.exe4 vs TaojCblZKXL9OpS.exe
            Source: TaojCblZKXL9OpS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: TaojCblZKXL9OpS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@0/0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TaojCblZKXL9OpS.exe.logJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMutant created: NULL
            Source: TaojCblZKXL9OpS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: TaojCblZKXL9OpS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: TaojCblZKXL9OpS.exeReversingLabs: Detection: 54%
            Source: unknownProcess created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe"
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe"Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: TaojCblZKXL9OpS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: TaojCblZKXL9OpS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: TaojCblZKXL9OpS.exe, TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs.Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs.Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs.Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CDE61 pushad ; iretd 0_2_074CDE68
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 0_2_074CECEA push eax; ret 0_2_074CECF1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_00401949 push esi; retf 2_2_004019A6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040D109 push edi; iretd 2_2_0040D10B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_00403120 push eax; ret 2_2_00403122
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004071A7 push esi; iretd 2_2_004071C6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040D358 pushfd ; ret 2_2_0040D362
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040B547 push ebp; retf 2_2_0040B54A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040AE10 push eax; iretd 2_2_0040AE11
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0041E6EF push ds; ret 2_2_0041E831
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0041E6F3 push ds; ret 2_2_0041E831
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_00417E81 push esi; retf 2_2_00417E8C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0041E763 push ds; ret 2_2_0041E831
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0040AF00 push eax; retf 2_2_0040AF01
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_004157E7 push ebp; retf 2_2_004157EA
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0041E798 push ds; ret 2_2_0041E831
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0041E7BE push ds; ret 2_2_0041E831
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B08CD push ecx; mov dword ptr [esp], ecx2_2_013B08D6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04C208CD push ecx; mov dword ptr [esp], ecx9_2_04C208D6
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_04986538 pushad ; retf 9_2_04986539
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498F738 push ecx; iretd 9_2_0498F792
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049871E9 push edi; ret 9_2_049871EE
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049952B2 push eax; ret 9_2_049952B4
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_049823C0 push es; iretd 9_2_049823C7
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498BE7B push edx; iretd 9_2_0498BE7C
            Source: C:\Windows\SysWOW64\cleanmgr.exeCode function: 9_2_0498BF53 push cs; ret 9_2_0498BF59
            Source: TaojCblZKXL9OpS.exeStatic PE information: section name: .text entropy: 7.850867463772836
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, bhAWeazn3ALlNUYHuc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, t6CCgrdm3dbt5iT3PA.csHigh entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, vP6ohjwE8WUbObHgQK.csHigh entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, v2qTaosC3k737o1gfJ.csHigh entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, kbKY92FyC5Y7NYivQt.csHigh entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.csHigh entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, VqkX1sJl9WlVE9m8IX.csHigh entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, eHXW9y55FKAZ2Km2TDU.csHigh entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.csHigh entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, MAndKLnsL1hfl6ymD0.csHigh entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, nmkmGZ3dkJjO3icYVt.csHigh entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, UigQWaiVAvGlJdNupS.csHigh entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, UwANpE5VN125VG8b5Mq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FndM3Db6rwT30I7h0i.csHigh entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, thUIdVAYQuaWYJ8FNB.csHigh entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, jyuC4YyFoFSPS3lOxV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, xP3LUFBVk1UjhuVbtU.csHigh entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, yv7OID5aJFqrTubkogZ.csHigh entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, JsLsvykEfbYDv3nZjj.csHigh entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, IfqTFtpmZGPO2mAHjL.csHigh entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
            Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, B12fsKxQU6lI8fgNoX.csHigh entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, bhAWeazn3ALlNUYHuc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, t6CCgrdm3dbt5iT3PA.csHigh entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, vP6ohjwE8WUbObHgQK.csHigh entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, v2qTaosC3k737o1gfJ.csHigh entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, kbKY92FyC5Y7NYivQt.csHigh entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.csHigh entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, VqkX1sJl9WlVE9m8IX.csHigh entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, eHXW9y55FKAZ2Km2TDU.csHigh entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.csHigh entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, MAndKLnsL1hfl6ymD0.csHigh entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, nmkmGZ3dkJjO3icYVt.csHigh entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, UigQWaiVAvGlJdNupS.csHigh entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, UwANpE5VN125VG8b5Mq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FndM3Db6rwT30I7h0i.csHigh entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, thUIdVAYQuaWYJ8FNB.csHigh entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, jyuC4YyFoFSPS3lOxV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, xP3LUFBVk1UjhuVbtU.csHigh entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, yv7OID5aJFqrTubkogZ.csHigh entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, JsLsvykEfbYDv3nZjj.csHigh entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, IfqTFtpmZGPO2mAHjL.csHigh entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
            Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, B12fsKxQU6lI8fgNoX.csHigh entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, bhAWeazn3ALlNUYHuc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, t6CCgrdm3dbt5iT3PA.csHigh entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, vP6ohjwE8WUbObHgQK.csHigh entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, v2qTaosC3k737o1gfJ.csHigh entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, kbKY92FyC5Y7NYivQt.csHigh entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.csHigh entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, VqkX1sJl9WlVE9m8IX.csHigh entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, eHXW9y55FKAZ2Km2TDU.csHigh entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.csHigh entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, MAndKLnsL1hfl6ymD0.csHigh entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, nmkmGZ3dkJjO3icYVt.csHigh entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, UigQWaiVAvGlJdNupS.csHigh entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, UwANpE5VN125VG8b5Mq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FndM3Db6rwT30I7h0i.csHigh entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, thUIdVAYQuaWYJ8FNB.csHigh entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, jyuC4YyFoFSPS3lOxV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, xP3LUFBVk1UjhuVbtU.csHigh entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, yv7OID5aJFqrTubkogZ.csHigh entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, JsLsvykEfbYDv3nZjj.csHigh entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, IfqTFtpmZGPO2mAHjL.csHigh entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
            Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, B12fsKxQU6lI8fgNoX.csHigh entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: Process Memory Space: TaojCblZKXL9OpS.exe PID: 4776, type: MEMORYSTR
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA1486D144
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA14870594
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA1486FF74
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA1486D6C4
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA1486D864
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI/Special instruction interceptor: Address: 7FFA1486D004
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D144
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA14870594
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D764
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D324
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D364
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D004
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486FF74
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D6C4
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI/Special instruction interceptor: Address: 7FFA1486D864
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 9480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 7A30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: A480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: 7C40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 rdtsc 2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeWindow / User API: threadDelayed 9852Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeAPI coverage: 0.9 %
            Source: C:\Windows\SysWOW64\cleanmgr.exeAPI coverage: 0.9 %
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe TID: 1832Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260Thread sleep count: 123 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260Thread sleep time: -246000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260Thread sleep count: 9852 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260Thread sleep time: -19704000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cleanmgr.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 0000000A.00000000.361696608667.00000000090F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.00000000090F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWar32ss Root Port #17 - A340
            Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: cleanmgr.exe, 00000009.00000002.361766512377.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 rdtsc 2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_00417783 LdrLoadDll,2_2_00417783
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01485149 mov eax, dword ptr fs:[00000030h]2_2_01485149
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144314A mov eax, dword ptr fs:[00000030h]2_2_0144314A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144314A mov eax, dword ptr fs:[00000030h]2_2_0144314A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144314A mov eax, dword ptr fs:[00000030h]2_2_0144314A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144314A mov eax, dword ptr fs:[00000030h]2_2_0144314A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E7128 mov eax, dword ptr fs:[00000030h]2_2_013E7128
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E7128 mov eax, dword ptr fs:[00000030h]2_2_013E7128
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01483157 mov eax, dword ptr fs:[00000030h]2_2_01483157
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01483157 mov eax, dword ptr fs:[00000030h]2_2_01483157
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01483157 mov eax, dword ptr fs:[00000030h]2_2_01483157
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E0118 mov eax, dword ptr fs:[00000030h]2_2_013E0118
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h]2_2_013AF113
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D510F mov eax, dword ptr fs:[00000030h]2_2_013D510F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B510D mov eax, dword ptr fs:[00000030h]2_2_013B510D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0140717A mov eax, dword ptr fs:[00000030h]2_2_0140717A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0140717A mov eax, dword ptr fs:[00000030h]2_2_0140717A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B6179 mov eax, dword ptr fs:[00000030h]2_2_013B6179
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E716D mov eax, dword ptr fs:[00000030h]2_2_013E716D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E415F mov eax, dword ptr fs:[00000030h]2_2_013E415F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143A130 mov eax, dword ptr fs:[00000030h]2_2_0143A130
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F13E mov eax, dword ptr fs:[00000030h]2_2_0146F13E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h]2_2_013AA147
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h]2_2_013AA147
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h]2_2_013AA147
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E31BE mov eax, dword ptr fs:[00000030h]2_2_013E31BE
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E31BE mov eax, dword ptr fs:[00000030h]2_2_013E31BE
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E41BB mov ecx, dword ptr fs:[00000030h]2_2_013E41BB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E41BB mov eax, dword ptr fs:[00000030h]2_2_013E41BB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E41BB mov eax, dword ptr fs:[00000030h]2_2_013E41BB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014781EE mov eax, dword ptr fs:[00000030h]2_2_014781EE
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014781EE mov eax, dword ptr fs:[00000030h]2_2_014781EE
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D9194 mov eax, dword ptr fs:[00000030h]2_2_013D9194
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1190 mov eax, dword ptr fs:[00000030h]2_2_013F1190
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1190 mov eax, dword ptr fs:[00000030h]2_2_013F1190
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h]2_2_013B4180
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h]2_2_013B4180
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h]2_2_013B4180
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A91F0 mov eax, dword ptr fs:[00000030h]2_2_013A91F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A91F0 mov eax, dword ptr fs:[00000030h]2_2_013A91F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h]2_2_013C01F1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h]2_2_013C01F1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h]2_2_013C01F1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF1F0 mov eax, dword ptr fs:[00000030h]2_2_013DF1F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF1F0 mov eax, dword ptr fs:[00000030h]2_2_013DF1F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A81EB mov eax, dword ptr fs:[00000030h]2_2_013A81EB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h]2_2_013BA1E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h]2_2_013BA1E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h]2_2_013BA1E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h]2_2_013BA1E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h]2_2_013BA1E3
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h]2_2_013DB1E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B91E5 mov eax, dword ptr fs:[00000030h]2_2_013B91E5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B91E5 mov eax, dword ptr fs:[00000030h]2_2_013B91E5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C01C0 mov eax, dword ptr fs:[00000030h]2_2_013C01C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C01C0 mov eax, dword ptr fs:[00000030h]2_2_013C01C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h]2_2_013C51C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h]2_2_013C51C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h]2_2_013C51C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h]2_2_013C51C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014851B6 mov eax, dword ptr fs:[00000030h]2_2_014851B6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01436040 mov eax, dword ptr fs:[00000030h]2_2_01436040
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148505B mov eax, dword ptr fs:[00000030h]2_2_0148505B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AD02D mov eax, dword ptr fs:[00000030h]2_2_013AD02D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01459060 mov eax, dword ptr fs:[00000030h]2_2_01459060
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2010 mov ecx, dword ptr fs:[00000030h]2_2_013F2010
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B8009 mov eax, dword ptr fs:[00000030h]2_2_013B8009
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D5004 mov eax, dword ptr fs:[00000030h]2_2_013D5004
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D5004 mov ecx, dword ptr fs:[00000030h]2_2_013D5004
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B7072 mov eax, dword ptr fs:[00000030h]2_2_013B7072
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B6074 mov eax, dword ptr fs:[00000030h]2_2_013B6074
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B6074 mov eax, dword ptr fs:[00000030h]2_2_013B6074
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1051 mov eax, dword ptr fs:[00000030h]2_2_013B1051
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1051 mov eax, dword ptr fs:[00000030h]2_2_013B1051
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E0044 mov eax, dword ptr fs:[00000030h]2_2_013E0044
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F00A5 mov eax, dword ptr fs:[00000030h]2_2_013F00A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AA093 mov ecx, dword ptr fs:[00000030h]2_2_013AA093
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AC090 mov eax, dword ptr fs:[00000030h]2_2_013AC090
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h]2_2_013A90F8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h]2_2_013A90F8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h]2_2_013A90F8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h]2_2_013A90F8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01484080 mov eax, dword ptr fs:[00000030h]2_2_01484080
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AC0F6 mov eax, dword ptr fs:[00000030h]2_2_013AC0F6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013ED0F0 mov eax, dword ptr fs:[00000030h]2_2_013ED0F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013ED0F0 mov ecx, dword ptr fs:[00000030h]2_2_013ED0F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01437090 mov eax, dword ptr fs:[00000030h]2_2_01437090
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h]2_2_0145F0A5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h]2_2_014360A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146B0AF mov eax, dword ptr fs:[00000030h]2_2_0146B0AF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CB0D0 mov eax, dword ptr fs:[00000030h]2_2_013CB0D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h]2_2_013AB0D6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h]2_2_013AB0D6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h]2_2_013AB0D6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h]2_2_013AB0D6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014850B7 mov eax, dword ptr fs:[00000030h]2_2_014850B7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D332D mov eax, dword ptr fs:[00000030h]2_2_013D332D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h]2_2_013AE328
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h]2_2_013AE328
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h]2_2_013AE328
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h]2_2_013E8322
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h]2_2_013E8322
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h]2_2_013E8322
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E631F mov eax, dword ptr fs:[00000030h]2_2_013E631F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h]2_2_013CE310
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h]2_2_013CE310
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h]2_2_013CE310
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h]2_2_0142E372
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h]2_2_0142E372
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h]2_2_0142E372
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h]2_2_0142E372
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430371 mov eax, dword ptr fs:[00000030h]2_2_01430371
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430371 mov eax, dword ptr fs:[00000030h]2_2_01430371
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A9303 mov eax, dword ptr fs:[00000030h]2_2_013A9303
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A9303 mov eax, dword ptr fs:[00000030h]2_2_013A9303
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D237A mov eax, dword ptr fs:[00000030h]2_2_013D237A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F30A mov eax, dword ptr fs:[00000030h]2_2_0146F30A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143330C mov eax, dword ptr fs:[00000030h]2_2_0143330C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143330C mov eax, dword ptr fs:[00000030h]2_2_0143330C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143330C mov eax, dword ptr fs:[00000030h]2_2_0143330C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143330C mov eax, dword ptr fs:[00000030h]2_2_0143330C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h]2_2_013BB360
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h]2_2_013EE363
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA350 mov eax, dword ptr fs:[00000030h]2_2_013EA350
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h]2_2_013A8347
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h]2_2_013A8347
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h]2_2_013A8347
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01483336 mov eax, dword ptr fs:[00000030h]2_2_01483336
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014343D5 mov eax, dword ptr fs:[00000030h]2_2_014343D5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B93A6 mov eax, dword ptr fs:[00000030h]2_2_013B93A6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B93A6 mov eax, dword ptr fs:[00000030h]2_2_013B93A6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h]2_2_013DA390
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h]2_2_013DA390
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h]2_2_013DA390
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h]2_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h]2_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h]2_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h]2_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h]2_2_013B1380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h]2_2_013CF380
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F38A mov eax, dword ptr fs:[00000030h]2_2_0146F38A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E33D0 mov eax, dword ptr fs:[00000030h]2_2_013E33D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E43D0 mov ecx, dword ptr fs:[00000030h]2_2_013E43D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B63CB mov eax, dword ptr fs:[00000030h]2_2_013B63CB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142C3B0 mov eax, dword ptr fs:[00000030h]2_2_0142C3B0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h]2_2_013AE3C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h]2_2_013AE3C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h]2_2_013AE3C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AC3C7 mov eax, dword ptr fs:[00000030h]2_2_013AC3C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F247 mov eax, dword ptr fs:[00000030h]2_2_0146F247
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147124C mov eax, dword ptr fs:[00000030h]2_2_0147124C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147124C mov eax, dword ptr fs:[00000030h]2_2_0147124C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147124C mov eax, dword ptr fs:[00000030h]2_2_0147124C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147124C mov eax, dword ptr fs:[00000030h]2_2_0147124C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D0230 mov ecx, dword ptr fs:[00000030h]2_2_013D0230
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142D250 mov eax, dword ptr fs:[00000030h]2_2_0142D250
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142D250 mov ecx, dword ptr fs:[00000030h]2_2_0142D250
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h]2_2_013EA22B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h]2_2_013EA22B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h]2_2_013EA22B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A821B mov eax, dword ptr fs:[00000030h]2_2_013A821B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146D270 mov eax, dword ptr fs:[00000030h]2_2_0146D270
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AA200 mov eax, dword ptr fs:[00000030h]2_2_013AA200
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0144327E mov eax, dword ptr fs:[00000030h]2_2_0144327E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h]2_2_013AB273
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h]2_2_013AB273
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h]2_2_013AB273
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143B214 mov eax, dword ptr fs:[00000030h]2_2_0143B214
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143B214 mov eax, dword ptr fs:[00000030h]2_2_0143B214
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430227 mov eax, dword ptr fs:[00000030h]2_2_01430227
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430227 mov eax, dword ptr fs:[00000030h]2_2_01430227
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430227 mov eax, dword ptr fs:[00000030h]2_2_01430227
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF24A mov eax, dword ptr fs:[00000030h]2_2_013DF24A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014832C9 mov eax, dword ptr fs:[00000030h]2_2_014832C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AC2B0 mov ecx, dword ptr fs:[00000030h]2_2_013AC2B0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D42AF mov eax, dword ptr fs:[00000030h]2_2_013D42AF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D42AF mov eax, dword ptr fs:[00000030h]2_2_013D42AF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A92AF mov eax, dword ptr fs:[00000030h]2_2_013A92AF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h]2_2_013B7290
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h]2_2_013B7290
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h]2_2_013B7290
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h]2_2_013C02F9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E289 mov eax, dword ptr fs:[00000030h]2_2_0142E289
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AD2EC mov eax, dword ptr fs:[00000030h]2_2_013AD2EC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AD2EC mov eax, dword ptr fs:[00000030h]2_2_013AD2EC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A72E0 mov eax, dword ptr fs:[00000030h]2_2_013A72E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h]2_2_013BA2E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h]2_2_013B82E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h]2_2_013B82E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h]2_2_013B82E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h]2_2_013B82E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F2AE mov eax, dword ptr fs:[00000030h]2_2_0146F2AE
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014792AB mov eax, dword ptr fs:[00000030h]2_2_014792AB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h]2_2_0148B2BC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h]2_2_0148B2BC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h]2_2_0148B2BC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h]2_2_0148B2BC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D32C5 mov eax, dword ptr fs:[00000030h]2_2_013D32C5
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E32C0 mov eax, dword ptr fs:[00000030h]2_2_013E32C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E32C0 mov eax, dword ptr fs:[00000030h]2_2_013E32C0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A753F mov eax, dword ptr fs:[00000030h]2_2_013A753F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A753F mov eax, dword ptr fs:[00000030h]2_2_013A753F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A753F mov eax, dword ptr fs:[00000030h]2_2_013A753F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F2539 mov eax, dword ptr fs:[00000030h]2_2_013F2539
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B3536 mov eax, dword ptr fs:[00000030h]2_2_013B3536
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B3536 mov eax, dword ptr fs:[00000030h]2_2_013B3536
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C252B mov eax, dword ptr fs:[00000030h]2_2_013C252B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B55F mov eax, dword ptr fs:[00000030h]2_2_0148B55F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0148B55F mov eax, dword ptr fs:[00000030h]2_2_0148B55F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E1527 mov eax, dword ptr fs:[00000030h]2_2_013E1527
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EF523 mov eax, dword ptr fs:[00000030h]2_2_013EF523
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01439567 mov eax, dword ptr fs:[00000030h]2_2_01439567
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h]2_2_013D1514
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EC50D mov eax, dword ptr fs:[00000030h]2_2_013EC50D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EC50D mov eax, dword ptr fs:[00000030h]2_2_013EC50D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB502 mov eax, dword ptr fs:[00000030h]2_2_013AB502
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h]2_2_013DE507
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B2500 mov eax, dword ptr fs:[00000030h]2_2_013B2500
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CC560 mov eax, dword ptr fs:[00000030h]2_2_013CC560
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143C51D mov eax, dword ptr fs:[00000030h]2_2_0143C51D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov ecx, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov ecx, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h]2_2_0145F51B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B254C mov eax, dword ptr fs:[00000030h]2_2_013B254C
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013CE547 mov eax, dword ptr fs:[00000030h]2_2_013CE547
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E6540 mov eax, dword ptr fs:[00000030h]2_2_013E6540
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E8540 mov eax, dword ptr fs:[00000030h]2_2_013E8540
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014305C6 mov eax, dword ptr fs:[00000030h]2_2_014305C6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B45B0 mov eax, dword ptr fs:[00000030h]2_2_013B45B0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B45B0 mov eax, dword ptr fs:[00000030h]2_2_013B45B0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014355E0 mov eax, dword ptr fs:[00000030h]2_2_014355E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E2594 mov eax, dword ptr fs:[00000030h]2_2_013E2594
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA580 mov eax, dword ptr fs:[00000030h]2_2_013EA580
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA580 mov eax, dword ptr fs:[00000030h]2_2_013EA580
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E9580 mov eax, dword ptr fs:[00000030h]2_2_013E9580
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E9580 mov eax, dword ptr fs:[00000030h]2_2_013E9580
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143C5FC mov eax, dword ptr fs:[00000030h]2_2_0143C5FC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F582 mov eax, dword ptr fs:[00000030h]2_2_0146F582
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E588 mov eax, dword ptr fs:[00000030h]2_2_0142E588
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0142E588 mov eax, dword ptr fs:[00000030h]2_2_0142E588
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E15EF mov eax, dword ptr fs:[00000030h]2_2_013E15EF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143C592 mov eax, dword ptr fs:[00000030h]2_2_0143C592
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01457591 mov edi, dword ptr fs:[00000030h]2_2_01457591
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA5E7 mov ebx, dword ptr fs:[00000030h]2_2_013EA5E7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA5E7 mov eax, dword ptr fs:[00000030h]2_2_013EA5E7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h]2_2_013BB5E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014385AA mov eax, dword ptr fs:[00000030h]2_2_014385AA
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E65D0 mov eax, dword ptr fs:[00000030h]2_2_013E65D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EC5C6 mov eax, dword ptr fs:[00000030h]2_2_013EC5C6
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h]2_2_013AF5C7
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01430443 mov eax, dword ptr fs:[00000030h]2_2_01430443
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB420 mov eax, dword ptr fs:[00000030h]2_2_013AB420
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E7425 mov eax, dword ptr fs:[00000030h]2_2_013E7425
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E7425 mov ecx, dword ptr fs:[00000030h]2_2_013E7425
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147A464 mov eax, dword ptr fs:[00000030h]2_2_0147A464
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013A640D mov eax, dword ptr fs:[00000030h]2_2_013A640D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F478 mov eax, dword ptr fs:[00000030h]2_2_0146F478
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01446400 mov eax, dword ptr fs:[00000030h]2_2_01446400
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01446400 mov eax, dword ptr fs:[00000030h]2_2_01446400
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B8470 mov eax, dword ptr fs:[00000030h]2_2_013B8470
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B8470 mov eax, dword ptr fs:[00000030h]2_2_013B8470
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F409 mov eax, dword ptr fs:[00000030h]2_2_0146F409
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h]2_2_013DE45E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h]2_2_013DE45E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h]2_2_013DE45E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h]2_2_013DE45E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h]2_2_013DE45E
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_01439429 mov eax, dword ptr fs:[00000030h]2_2_01439429
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h]2_2_0143F42F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h]2_2_0143F42F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h]2_2_0143F42F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h]2_2_0143F42F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h]2_2_0143F42F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013ED450 mov eax, dword ptr fs:[00000030h]2_2_013ED450
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013ED450 mov eax, dword ptr fs:[00000030h]2_2_013ED450
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h]2_2_013BD454
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h]2_2_013C0445
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE4BC mov eax, dword ptr fs:[00000030h]2_2_013EE4BC
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E44A8 mov eax, dword ptr fs:[00000030h]2_2_013E44A8
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B24A2 mov eax, dword ptr fs:[00000030h]2_2_013B24A2
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B24A2 mov ecx, dword ptr fs:[00000030h]2_2_013B24A2
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EB490 mov eax, dword ptr fs:[00000030h]2_2_013EB490
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EB490 mov eax, dword ptr fs:[00000030h]2_2_013EB490
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E648A mov eax, dword ptr fs:[00000030h]2_2_013E648A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E648A mov eax, dword ptr fs:[00000030h]2_2_013E648A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E648A mov eax, dword ptr fs:[00000030h]2_2_013E648A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F4FD mov eax, dword ptr fs:[00000030h]2_2_0146F4FD
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B0485 mov ecx, dword ptr fs:[00000030h]2_2_013B0485
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D94FA mov eax, dword ptr fs:[00000030h]2_2_013D94FA
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B64F0 mov eax, dword ptr fs:[00000030h]2_2_013B64F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA4F0 mov eax, dword ptr fs:[00000030h]2_2_013EA4F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA4F0 mov eax, dword ptr fs:[00000030h]2_2_013EA4F0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE4EF mov eax, dword ptr fs:[00000030h]2_2_013EE4EF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EE4EF mov eax, dword ptr fs:[00000030h]2_2_013EE4EF
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143C490 mov eax, dword ptr fs:[00000030h]2_2_0143C490
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E54E0 mov eax, dword ptr fs:[00000030h]2_2_013E54E0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143D4A0 mov ecx, dword ptr fs:[00000030h]2_2_0143D4A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143D4A0 mov eax, dword ptr fs:[00000030h]2_2_0143D4A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143D4A0 mov eax, dword ptr fs:[00000030h]2_2_0143D4A0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D44D1 mov eax, dword ptr fs:[00000030h]2_2_013D44D1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D44D1 mov eax, dword ptr fs:[00000030h]2_2_013D44D1
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h]2_2_013DF4D0
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h]2_2_013D14C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h]2_2_013D14C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h]2_2_013D14C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h]2_2_013D14C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h]2_2_013D14C9
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_014484BB mov eax, dword ptr fs:[00000030h]2_2_014484BB
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143174B mov eax, dword ptr fs:[00000030h]2_2_0143174B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0143174B mov ecx, dword ptr fs:[00000030h]2_2_0143174B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0145E750 mov eax, dword ptr fs:[00000030h]2_2_0145E750
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D9723 mov eax, dword ptr fs:[00000030h]2_2_013D9723
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B471B mov eax, dword ptr fs:[00000030h]2_2_013B471B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B471B mov eax, dword ptr fs:[00000030h]2_2_013B471B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D270D mov eax, dword ptr fs:[00000030h]2_2_013D270D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D270D mov eax, dword ptr fs:[00000030h]2_2_013D270D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D270D mov eax, dword ptr fs:[00000030h]2_2_013D270D
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013BD700 mov ecx, dword ptr fs:[00000030h]2_2_013BD700
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h]2_2_013AB705
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h]2_2_013AB705
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h]2_2_013AB705
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h]2_2_013AB705
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B4779 mov eax, dword ptr fs:[00000030h]2_2_013B4779
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013B4779 mov eax, dword ptr fs:[00000030h]2_2_013B4779
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E0774 mov eax, dword ptr fs:[00000030h]2_2_013E0774
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147970B mov eax, dword ptr fs:[00000030h]2_2_0147970B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0147970B mov eax, dword ptr fs:[00000030h]2_2_0147970B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_0146F717 mov eax, dword ptr fs:[00000030h]2_2_0146F717
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013C2760 mov ecx, dword ptr fs:[00000030h]2_2_013C2760
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h]2_2_013F1763
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h]2_2_013AF75B
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov ecx, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h]2_2_013D2755
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013EA750 mov eax, dword ptr fs:[00000030h]2_2_013EA750
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeCode function: 2_2_013E174A mov eax, dword ptr fs:[00000030h]2_2_013E174A
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x4AD532CJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeNtResumeThread: Indirect: 0x1773ED0Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4AD50E6Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeNtSuspendThread: Indirect: 0x1773BC0Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FFA14822651Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeNtSetContextThread: Indirect: 0x17738B0Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeNtClose: Indirect: 0x176F6E5
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x4ADCE23Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeNtQueueApcThread: Indirect: 0x176F654Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FF9E0149E7F
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeMemory written: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeSection loaded: NULL target: C:\Windows\SysWOW64\cleanmgr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeThread register set: target process: 4172Jump to behavior
            Source: C:\Windows\SysWOW64\cleanmgr.exeThread register set: target process: 4172Jump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeProcess created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe"Jump to behavior
            Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364914245498.00000000042C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000A.00000002.364930107759.000000000CE56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700866168.000000000CE56000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndcs
            Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager@
            Source: explorer.exe, 0000000A.00000000.361691047356.0000000000504000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364904632689.0000000000504000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanu
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading
            412
            Process Injection
            1
            Masquerading
            OS Credential Dumping121
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism
            1
            Disable or Modify Tools
            LSASS Memory2
            Process Discovery
            Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            41
            Virtualization/Sandbox Evasion
            Security Account Manager41
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
            Process Injection
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information
            LSA Secrets112
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing
            Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading
            /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            TaojCblZKXL9OpS.exe54%ReversingLabsByteCode-MSIL.Trojan.Generic
            TaojCblZKXL9OpS.exe100%AviraTR/Dropper.MSIL.fxlcg
            TaojCblZKXL9OpS.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=278807d9-9673-45f6-bf59-da37explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
              unknown
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BRexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                unknown
                http://schemas.micexplorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmpfalse
                  unknown
                  https://www.msn.com/en-us/travel/tripideas/the-global-origins-of-town-names-in-every-u-s-state-with-explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                    unknown
                    https://www.msn.com/en-us/news/us/scatter-and-survive-inside-a-u-s-military-shift-to-deny-china-big-explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                      unknown
                      https://www.msn.com/en-us/sports/nfl/jets-vs-steelers-live-updates-score-highlights-from-week-7-sundexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                        unknown
                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-darkexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                          unknown
                          https://www.msn.com/en-us/news/technology/hubble-telescope-sees-stellar-volcano-erupt-in-amazing-colexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                            unknown
                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000A.00000000.361700102779.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                              unknown
                              https://www.msn.com/en-us/feedexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                unknown
                                https://www.cnn.com/2024/03/13/business/mcdonalds-inflation-low-income-consumers/index.htmlexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                  unknown
                                  https://www.msn.com/en-us/news/politics/trump-repeats-enemy-from-within-comment-targeting-pelosi-andexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                    unknown
                                    https://excel.office.comexplorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpfalse
                                      unknown
                                      https://www.msn.com/en-us/health/other/bipolar-disorder-and-alcohol-here-s-how-to-embrace-sobriety/aexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                        unknown
                                        http://schemas.microexplorer.exe, 0000000A.00000000.361692090970.0000000002A60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364922834638.00000000096A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364924468408.000000000A0A0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          unknown
                                          https://aka.ms/odirmexplorer.exe, 0000000A.00000000.361696252881.0000000009064000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364919638744.0000000009064000.00000004.00000001.00020000.00000000.sdmpfalse
                                            unknown
                                            https://outlook.commber:Oct:Octexplorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpfalse
                                              unknown
                                              https://www.msn.com/en-us/news/politics/donald-trump-visits-pennsylvania-mcdonald-s-alleges-without-explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                unknown
                                                https://word.office.comembeexplorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://www.msn.com/en-us/autos/news/nhtsa-wants-pedestrians-protected-from-big-nose-trucks-and-suvsexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-darkexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://stacker.com/careers/top-10-most-common-jobs-hispanic-and-latino-scientists-and-engineersexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            unknown
                                                            https://www.msn.com/en-us/money/companies/the-1-fast-food-chain-in-the-us-isn-t-mcdonald-s-accordingexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              unknown
                                                              https://www.msn.com/en-us/movies/news/the-31-best-halloween-movies-of-all-time/ss-AA1rIoyKexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://api.msn.com/eexplorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W33_Cleaexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfuexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.svgexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://th.RMS.fae8%Hexplorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://www.msn.com/en-us/foodanddri0explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://www.theacsi.org/industries/restaurant/fast-food/explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5mexplorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvS-darkexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    https://powerpoint.office.comeexplorer.exe, 0000000A.00000002.364930107759.000000000CE56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700866168.000000000CE56000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      https://www.msn.com/en-us/travel/news/a-trip-to-italy-s-dying-city-is-like-stepping-into-the-middle-explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4Jexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://www.msn.com/en-us/tv/news/10-facts-about-breaking-bad-you-probably-didn-t-know/ss-AA1rXbzFexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            https://www.msn.com/en-us/news/world/israel-killed-sinwar-by-forcing-him-from-the-tunnels/ar-AA1sBXIexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              https://www.msn.com/en-us/news/world/u-s-investigating-intelligence-leak-about-israel-s-plans-for-atexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://outlook.comexplorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://www.msn.com/en-us/sports/nfl/donald-trump-stops-by-primetime-nfl-matchup-between-the-jets-anexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyR-darkexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      unknown
                                                                                                      https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        https://imgized.netexplorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          https://www.msn.com/en-us/money/companies/the-solid-state-batteries-hype-is-fading-prompting-auto-giexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            https://www.msn.com/en-us/weather/forecast/in-Modesto%2CCalifornia?loc=eyJsIjoiTW9kZXN0byIsInIiOiJDYexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              https://www.qsrmagazine.com/downloads/2022-qsr-50explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                unknown
                                                                                                                https://api.msn.com/v1/news/Feed/Windows?5uexplorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  https://excel.office.comeBexplorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    unknown
                                                                                                                    https://www.vox.com/the-goods/2019/6/26/18700762/fast-food-america-adam-chandler-drive-thru-dreamsexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      unknown
                                                                                                                      https://www.bls.gov/news.release/cpi.t02.htmexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        unknown
                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BR-darkexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          https://www.msn.com/en-us/play/games/cubes2048/cg-9mvd9sprhm6xexplorer.exe, 0000000A.00000002.364918139355.0000000008E7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E7B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            unknown
                                                                                                                            https://api.msn.com/v1/news/Feed/Windows?activityId=3C188734586C431BAF5C248940644D08&timeOut=5000&ocexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              https://stacker.com/storiesexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyRexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  unknown
                                                                                                                                  https://www.msn.com/en-us/tv/celebrity/groundbreaking-women-in-wrestling-25-pioneers-who-changed-theexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    unknown
                                                                                                                                    https://api.msn.com/explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-darkexplorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvSexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          unknown
                                                                                                                                          https://stacker.com/food-drink/states-highest-concentration-restaurantsexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.pngexplorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              unknown
                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                unknown
                                                                                                                                                https://stacker.com/explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  unknown
                                                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    unknown
                                                                                                                                                    No contacted IP infos
                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                    Analysis ID:1538502
                                                                                                                                                    Start date and time:2024-10-21 14:08:07 +02:00
                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 16m 15s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                    Run name:Suspected Instruction Hammering
                                                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:2
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample name:TaojCblZKXL9OpS.exe
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.evad.winEXE@5/1@0/0
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 75%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 96%
                                                                                                                                                    • Number of executed functions: 73
                                                                                                                                                    • Number of non-executed functions: 250
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, c.pki.goog
                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                    • VT rate limit hit for: TaojCblZKXL9OpS.exe
                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    08:11:37API Interceptor11247570x Sleep call for process: cleanmgr.exe modified
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    Process:C:\Users\user\Desktop\TaojCblZKXL9OpS.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1415
                                                                                                                                                    Entropy (8bit):5.356444564060933
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:MLUE4K5E4K1Bs1qE4qXKDE4KhKMaKhPE4KLGdbBNAE4KzDhKIE4oKnKorE4x84j:MIHK5HK1Bs1qHiYHKh6oPHKONAHKz9tF
                                                                                                                                                    MD5:2270FF6497576DD6035143D2E84AF1F1
                                                                                                                                                    SHA1:F2A21D61086E70CD779E2C725054CE656306569B
                                                                                                                                                    SHA-256:6FC6BA0BBFF1B53DDA9DEBA4BEF0B5D883FBEC2EE83B0E71CADD7D1EA5FADF0F
                                                                                                                                                    SHA-512:43852B3700D81571AEAF809204F98CF70F4D807246990EE3A7EA0281DFD93114236850FD5EEAE7255A50324D7349DE448F9325505E5811905D331DD9FE7327F5
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\6ef9a6e3c64a0e1d3f5927b7454c0932\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\10879c5bddb2dd2399e2098d5ca5c9d1\System.Xml.ni.dll"
                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Entropy (8bit):7.822549473950236
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                    File name:TaojCblZKXL9OpS.exe
                                                                                                                                                    File size:722'944 bytes
                                                                                                                                                    MD5:3ba3c27ef00f1a033b232e701cdb8ea0
                                                                                                                                                    SHA1:589db22d12e2e2a27f309f4532405daa82e03f2f
                                                                                                                                                    SHA256:077cd5cb67798a07fa0c12e910783027f4e336a763dbbb5a82de449aef58bb51
                                                                                                                                                    SHA512:1916bb4b0b99db3cf5283dc5b1ae66a8776f1304186b9b59e0bba5d71be2fcc069e957b048e6a951d40e200c991952358b03a14e753d267c46818cb08282b7e3
                                                                                                                                                    SSDEEP:12288:SX2LIsgarONo+omJuIqI4PZmFfkD0dchILx6PejxX3pJP5B:zIsgsfcMI2Z6MacPPUB
                                                                                                                                                    TLSH:67F412A203D9E32AD5ED07B41231F7B78B698E9DE512E3068DEF4CDFB91579028406D2
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.g..............0......(........... ........@.. .......................@............@................................
                                                                                                                                                    Icon Hash:1a36342b2274d235
                                                                                                                                                    Entrypoint:0x4af7de
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x67125BD2 [Fri Oct 18 13:00:02 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:4
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:4
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                    Instruction
                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                    push edx
                                                                                                                                                    add byte ptr [ebp+00h], ah
                                                                                                                                                    jnc 00007F41B86B6332h
                                                                                                                                                    jne 00007F41B86B6332h
                                                                                                                                                    insd
                                                                                                                                                    add byte ptr [ebp+00h], ah
                                                                                                                                                    jnc 00007F41B86B6332h
                                                                                                                                                    inc ecx
                                                                                                                                                    add byte ptr [eax+00h], dh
                                                                                                                                                    jo 00007F41B86B6332h
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xaf78c0x4f.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x1904.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x20000xad7fc0xad800e29152ebadf5b1ffe7d083fc2f7f6e11False0.9268394272334294data7.850867463772836IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rsrc0xb00000x19040x2000e8c88cfecc1d15bd3e27dc3d3fe1fa28False0.638916015625data6.332091146808102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0xb20000xc0x800f0ca2840ab1d27177ca1f76cfed1b1acFalse0.01611328125data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                    RT_ICON0xb00c80x15cfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8687085796166936
                                                                                                                                                    RT_GROUP_ICON0xb16a80x14data1.05
                                                                                                                                                    RT_VERSION0xb16cc0x234data0.4734042553191489
                                                                                                                                                    DLLImport
                                                                                                                                                    mscoree.dll_CorExeMain
                                                                                                                                                    No network behavior found

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:08:10:21
                                                                                                                                                    Start date:21/10/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\TaojCblZKXL9OpS.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
                                                                                                                                                    Imagebase:0x950000
                                                                                                                                                    File size:722'944 bytes
                                                                                                                                                    MD5 hash:3BA3C27EF00F1A033B232E701CDB8EA0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:08:10:34
                                                                                                                                                    Start date:21/10/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\TaojCblZKXL9OpS.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
                                                                                                                                                    Imagebase:0x900000
                                                                                                                                                    File size:722'944 bytes
                                                                                                                                                    MD5 hash:3BA3C27EF00F1A033B232E701CDB8EA0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    Target ID:8
                                                                                                                                                    Start time:08:10:54
                                                                                                                                                    Start date:21/10/2024
                                                                                                                                                    Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                    File size:16'696'840 bytes
                                                                                                                                                    MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:false

                                                                                                                                                    Target ID:9
                                                                                                                                                    Start time:08:10:55
                                                                                                                                                    Start date:21/10/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cleanmgr.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\cleanmgr.exe"
                                                                                                                                                    Imagebase:0xc30000
                                                                                                                                                    File size:288'768 bytes
                                                                                                                                                    MD5 hash:B33DBB516108EF7C37B99BA93DD25370
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    Target ID:10
                                                                                                                                                    Start time:08:13:29
                                                                                                                                                    Start date:21/10/2024
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                    Imagebase:0x7ff60efc0000
                                                                                                                                                    File size:4'849'904 bytes
                                                                                                                                                    MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:false

                                                                                                                                                    Reset < >

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:9.4%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:98.8%
                                                                                                                                                      Signature Coverage:2.8%
                                                                                                                                                      Total number of Nodes:248
                                                                                                                                                      Total number of Limit Nodes:12
                                                                                                                                                      execution_graph 49887 130c720 49888 130c762 49887->49888 49889 130c768 GetModuleHandleW 49887->49889 49888->49889 49890 130c795 49889->49890 50051 104d1b4 50052 104d1cc 50051->50052 50053 104d226 50052->50053 50058 5514209 50052->50058 50067 55120ec 50052->50067 50076 55134a8 50052->50076 50080 5513499 50052->50080 50059 5514218 50058->50059 50060 5514279 50059->50060 50062 5514269 50059->50062 50100 5512214 50060->50100 50084 5514390 50062->50084 50089 55143a0 50062->50089 50094 551446c 50062->50094 50063 5514277 50068 55120f7 50067->50068 50069 5514279 50068->50069 50071 5514269 50068->50071 50070 5512214 CallWindowProcW 50069->50070 50072 5514277 50070->50072 50073 5514390 CallWindowProcW 50071->50073 50074 55143a0 CallWindowProcW 50071->50074 50075 551446c CallWindowProcW 50071->50075 50073->50072 50074->50072 50075->50072 50077 55134ce 50076->50077 50078 55120ec CallWindowProcW 50077->50078 50079 55134ef 50078->50079 50079->50053 50081 55134ce 50080->50081 50082 55120ec CallWindowProcW 50081->50082 50083 55134ef 50082->50083 50083->50053 50085 55143a0 50084->50085 50104 5514458 50085->50104 50107 5514448 50085->50107 50086 5514440 50086->50063 50090 55143b4 50089->50090 50092 5514458 CallWindowProcW 50090->50092 50093 5514448 CallWindowProcW 50090->50093 50091 5514440 50091->50063 50092->50091 50093->50091 50095 551442a 50094->50095 50096 551447a 50094->50096 50098 5514458 CallWindowProcW 50095->50098 50099 5514448 CallWindowProcW 50095->50099 50097 5514440 50097->50063 50098->50097 50099->50097 50101 551221f 50100->50101 50102 551595a CallWindowProcW 50101->50102 50103 5515909 50101->50103 50102->50103 50103->50063 50105 5514469 50104->50105 50111 5515892 50104->50111 50105->50086 50108 5514458 50107->50108 50109 5514469 50108->50109 50110 5515892 CallWindowProcW 50108->50110 50109->50086 50110->50109 50112 5512214 CallWindowProcW 50111->50112 50113 55158aa 50112->50113 50113->50105 50114 130e9e0 DuplicateHandle 50115 130ea76 50114->50115 50033 55132f0 50034 5513358 CreateWindowExW 50033->50034 50036 5513414 50034->50036 50036->50036 50189 5518a20 50190 5518a4d 50189->50190 50193 55185a0 50190->50193 50192 5518ab5 50194 55185ab 50193->50194 50199 551a288 50194->50199 50198 551a49d 50198->50192 50200 551a293 50199->50200 50207 551d96c 50200->50207 50202 551a47c 50203 551a298 50202->50203 50204 551a2a3 50203->50204 50205 551d96c FindWindowW 50204->50205 50206 551fd15 50205->50206 50206->50198 50208 551d977 50207->50208 50210 130844c FindWindowW 50208->50210 50209 551f4ce 50209->50202 50210->50209 49891 7542840 49892 75429cb 49891->49892 49893 7542866 49891->49893 49893->49892 49896 7542ac0 PostMessageW 49893->49896 49898 7542ab8 49893->49898 49897 7542b2c 49896->49897 49897->49893 49899 7542ac0 PostMessageW 49898->49899 49900 7542b2c 49899->49900 49900->49893 49901 7540e41 49905 7541700 49901->49905 49920 7541710 49901->49920 49902 7540d83 49906 7541710 49905->49906 49907 754174e 49906->49907 49935 7541cf5 49906->49935 49940 7542129 49906->49940 49945 7542123 49906->49945 49949 7542086 49906->49949 49954 75420a5 49906->49954 49958 7541ca4 49906->49958 49962 7542039 49906->49962 49966 7541bbe 49906->49966 49972 7541add 49906->49972 49977 7541e9c 49906->49977 49983 7541d70 49906->49983 49988 7541b36 49906->49988 49907->49902 49921 754172a 49920->49921 49922 754174e 49921->49922 49923 7541cf5 2 API calls 49921->49923 49924 7541b36 2 API calls 49921->49924 49925 7541d70 2 API calls 49921->49925 49926 7541e9c 2 API calls 49921->49926 49927 7541add 2 API calls 49921->49927 49928 7541bbe 2 API calls 49921->49928 49929 7542039 2 API calls 49921->49929 49930 7541ca4 2 API calls 49921->49930 49931 75420a5 2 API calls 49921->49931 49932 7542086 2 API calls 49921->49932 49933 7542123 2 API calls 49921->49933 49934 7542129 2 API calls 49921->49934 49922->49902 49923->49922 49924->49922 49925->49922 49926->49922 49927->49922 49928->49922 49929->49922 49930->49922 49931->49922 49932->49922 49933->49922 49934->49922 49936 7541cfb 49935->49936 49993 7540610 49936->49993 49997 7540608 49936->49997 49937 7541d2d 49937->49907 49941 754241e 49940->49941 50001 7540470 49941->50001 50005 7540478 49941->50005 49942 7542439 49946 75420a4 49945->49946 49946->49945 49947 7540470 Wow64SetThreadContext 49946->49947 49948 7540478 Wow64SetThreadContext 49946->49948 49947->49946 49948->49946 49950 75423c2 49949->49950 50009 7540700 49950->50009 50013 75406f8 49950->50013 49951 75423e4 49956 7540470 Wow64SetThreadContext 49954->49956 49957 7540478 Wow64SetThreadContext 49954->49957 49955 75420a4 49955->49954 49956->49955 49957->49955 49960 7540610 WriteProcessMemory 49958->49960 49961 7540608 WriteProcessMemory 49958->49961 49959 7541c24 49959->49907 49960->49959 49961->49959 49964 7540610 WriteProcessMemory 49962->49964 49965 7540608 WriteProcessMemory 49962->49965 49963 7542067 49964->49963 49965->49963 49969 7541b09 49966->49969 49967 754265c 49967->49907 49969->49967 50017 754088c 49969->50017 50021 7540898 49969->50021 49973 7541b58 49972->49973 49975 754088c CreateProcessA 49973->49975 49976 7540898 CreateProcessA 49973->49976 49974 7541bf9 49974->49907 49975->49974 49976->49974 49978 7541d0c 49977->49978 49979 754237a 49978->49979 49981 7540610 WriteProcessMemory 49978->49981 49982 7540608 WriteProcessMemory 49978->49982 49979->49907 49980 7541d2d 49980->49907 49981->49980 49982->49980 49984 7541fb5 49983->49984 50025 7540550 49984->50025 50029 754054a 49984->50029 49985 7541fd3 49989 7541b09 49988->49989 49991 754088c CreateProcessA 49989->49991 49992 7540898 CreateProcessA 49989->49992 49990 7541bf9 49990->49907 49991->49990 49992->49990 49994 7540658 WriteProcessMemory 49993->49994 49996 75406af 49994->49996 49996->49937 49998 7540610 WriteProcessMemory 49997->49998 50000 75406af 49998->50000 50000->49937 50002 7540478 Wow64SetThreadContext 50001->50002 50004 7540505 50002->50004 50004->49942 50006 75404bd Wow64SetThreadContext 50005->50006 50008 7540505 50006->50008 50008->49942 50010 754074b ReadProcessMemory 50009->50010 50012 754078f 50010->50012 50012->49951 50014 7540701 ReadProcessMemory 50013->50014 50016 754078f 50014->50016 50016->49951 50018 7540921 CreateProcessA 50017->50018 50020 7540ae3 50018->50020 50022 7540921 CreateProcessA 50021->50022 50024 7540ae3 50022->50024 50026 7540590 VirtualAllocEx 50025->50026 50028 75405cd 50026->50028 50028->49985 50030 7540550 VirtualAllocEx 50029->50030 50032 75405cd 50030->50032 50032->49985 50037 130e798 50038 130e7de GetCurrentProcess 50037->50038 50040 130e830 GetCurrentThread 50038->50040 50041 130e829 50038->50041 50042 130e866 50040->50042 50043 130e86d GetCurrentProcess 50040->50043 50041->50040 50042->50043 50044 130e8a3 GetCurrentThreadId 50043->50044 50046 130e8fc 50044->50046 50116 1304668 50117 130467a 50116->50117 50118 1304686 50117->50118 50122 1304779 50117->50122 50127 1304210 50118->50127 50120 13046a5 50123 130479d 50122->50123 50131 1304888 50123->50131 50135 1304879 50123->50135 50128 130421b 50127->50128 50143 1305df8 50128->50143 50130 1308153 50130->50120 50133 130488a 50131->50133 50132 130498c 50133->50132 50139 13044d4 50133->50139 50137 1304888 50135->50137 50136 130498c 50137->50136 50138 13044d4 CreateActCtxA 50137->50138 50138->50136 50140 1305918 CreateActCtxA 50139->50140 50142 13059db 50140->50142 50144 1305e03 50143->50144 50147 13083ec 50144->50147 50146 130885d 50146->50130 50148 13083f7 50147->50148 50151 130841c 50148->50151 50150 130893a 50150->50146 50152 1308427 50151->50152 50155 130844c 50152->50155 50154 1308a2d 50154->50150 50156 1308457 50155->50156 50161 130971c 50156->50161 50158 1309cd1 50158->50154 50159 1309aa8 50159->50158 50165 130e4d0 50159->50165 50162 1309727 50161->50162 50164 130af49 50162->50164 50169 1309958 50162->50169 50164->50159 50166 130e4f1 50165->50166 50167 130e515 50166->50167 50173 130e680 50166->50173 50167->50158 50170 130b0a8 FindWindowW 50169->50170 50172 130b12d 50170->50172 50172->50164 50174 130e68d 50173->50174 50175 130e6c7 50174->50175 50177 130dfc0 50174->50177 50175->50167 50179 130dfcb 50177->50179 50178 130efd8 50179->50178 50181 130e0ec 50179->50181 50182 130e0f7 50181->50182 50183 130844c FindWindowW 50182->50183 50184 130f047 50183->50184 50184->50178 50185 722f5f8 50186 722f646 DrawTextExW 50185->50186 50188 722f69e 50186->50188 50047 74c1ce1 50048 74c1ce6 CloseHandle 50047->50048 50050 74c1d4f 50048->50050

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 445 5518a20-5518a4b 446 5518a52-5518d24 call 55185a0 call 55185b0 * 3 call 55185c0 call 55185b0 call 55185d0 call 55185b0 445->446 447 5518a4d 445->447 495 5518d26-5518d32 446->495 496 5518d4e 446->496 447->446 497 5518d34-5518d3a 495->497 498 5518d3c-5518d42 495->498 499 5518d54-5518d6c 496->499 500 5518d4c 497->500 498->500 502 5518d73-5518da0 499->502 503 5518d6e 499->503 500->499 710 5518da3 call 72241f0 502->710 711 5518da3 call 72241e1 502->711 503->502 505 5518da6-55194df call 55185e0 call 55185f0 call 551860c call 551861c call 551862c call 551863c call 551864c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c 714 55194e2 call 7227e28 505->714 715 55194e2 call 7227e38 505->715 586 55194e5-5519c59 call 55185f0 call 551860c call 551862c call 551863c call 551867c call 551868c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 551869c call 55186ac call 55186bc call 55186cc 708 5519c5c call 722abe8 586->708 709 5519c5c call 722abd8 586->709 667 5519c5f-5519cdd call 55186cc * 3 712 5519ce0 call 722abe8 667->712 713 5519ce0 call 722abd8 667->713 676 5519ce3-5519dbe call 55186cc * 4 690 5519dc0-5519dcc 676->690 691 5519de8 676->691 693 5519dd6-5519ddc 690->693 694 5519dce-5519dd4 690->694 692 5519dee-5519eae call 55186dc call 55186ec call 551860c call 55186fc 691->692 707 5519eb3-5519ebb 692->707 696 5519de6 693->696 694->696 696->692 708->667 709->667 710->505 711->505 712->676 713->676 714->586 715->586
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: $Dq
                                                                                                                                                      • API String ID: 0-2802590945
                                                                                                                                                      • Opcode ID: 2b270cd75413e52b64c10caa47152502dc55d778d334d7302d8bfd4adfcc4e49
                                                                                                                                                      • Instruction ID: 99e5b93dcd47db4df5245be17c925538edf6c224c6fd7ef2284d2502aa614160
                                                                                                                                                      • Opcode Fuzzy Hash: 2b270cd75413e52b64c10caa47152502dc55d778d334d7302d8bfd4adfcc4e49
                                                                                                                                                      • Instruction Fuzzy Hash: F9D2D834A1061ADFDB25DF64C894AD9B7B1FF9A300F1186E9D4096B364EB31AE85CF40

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 716 5518a11-5518a4b 717 5518a52-5518a9a 716->717 718 5518a4d 716->718 723 5518aa4-5518ab0 call 55185a0 717->723 718->717 725 5518ab5-5518b62 call 55185b0 * 3 723->725 739 5518b6c-5518b78 call 55185c0 725->739 741 5518b7d-5518c3d call 55185b0 call 55185d0 call 55185b0 739->741 756 5518c48 741->756 757 5518c4f-5518c74 756->757 759 5518c7e-5518c94 757->759 760 5518c9d-5518ced 759->760 764 5518cf5-5518d0b 760->764 765 5518d17-5518d24 764->765 766 5518d26-5518d32 765->766 767 5518d4e 765->767 768 5518d34-5518d3a 766->768 769 5518d3c-5518d42 766->769 770 5518d54-5518d5c 767->770 771 5518d4c 768->771 769->771 772 5518d62-5518d6c 770->772 771->770 773 5518d73-5518d82 772->773 774 5518d6e 772->774 775 5518d8d-5518da0 773->775 774->773 985 5518da3 call 72241f0 775->985 986 5518da3 call 72241e1 775->986 776 5518da6-5518dba call 55185e0 778 5518dbf-5518e83 call 55185f0 call 551860c 776->778 785 5518e88-5518e9c call 551861c 778->785 787 5518ea1-5518ec6 785->787 788 5518ed0-5518ee7 call 551862c 787->788 790 5518eec-55194c6 call 551863c call 551864c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c 788->790 856 55194cb-55194df 790->856 981 55194e2 call 7227e28 856->981 982 55194e2 call 7227e38 856->982 857 55194e5-5519c3a call 55185f0 call 551860c call 551862c call 551863c call 551867c call 551868c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 55185f0 call 551860c call 551862c call 551863c call 55185f0 call 551860c call 551862c call 551863c call 551865c call 551866c call 551869c call 55186ac call 55186bc call 55186cc 937 5519c3f-5519c59 857->937 983 5519c5c call 722abe8 937->983 984 5519c5c call 722abd8 937->984 938 5519c5f-5519cbe call 55186cc * 3 946 5519cc3-5519cdd 938->946 979 5519ce0 call 722abe8 946->979 980 5519ce0 call 722abd8 946->980 947 5519ce3-5519dbe call 55186cc * 4 961 5519dc0-5519dcc 947->961 962 5519de8 947->962 964 5519dd6-5519ddc 961->964 965 5519dce-5519dd4 961->965 963 5519dee-5519e81 call 55186dc call 55186ec call 551860c 962->963 974 5519e86-5519eae call 55186fc 963->974 967 5519de6 964->967 965->967 967->963 978 5519eb3-5519ebb 974->978 979->947 980->947 981->857 982->857 983->938 984->938 985->776 986->776
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: $Dq
                                                                                                                                                      • API String ID: 0-2802590945
                                                                                                                                                      • Opcode ID: b21b4cac67e0f8974c5c9be3acfe17209e781cc6e2656c61befdfbeb7ffcd8e1
                                                                                                                                                      • Instruction ID: 4f9b5464cb5e912e128c8ddcc6e2a254ab20b2a5e31dd0cdc90431056513f81c
                                                                                                                                                      • Opcode Fuzzy Hash: b21b4cac67e0f8974c5c9be3acfe17209e781cc6e2656c61befdfbeb7ffcd8e1
                                                                                                                                                      • Instruction Fuzzy Hash: 7AD2D934A1061ADFDB25DF64C894AD9B7B1FF9A300F1186E9D4096B364EB31AE85CF40

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1287 7222106-722210a 1288 722210b-7222120 1287->1288 1289 7222acd-7222adf 1287->1289 1288->1289 1290 7222121-722212c 1288->1290 1292 7222132-722213e 1290->1292 1293 722214a-7222159 1292->1293 1295 72221b8-72221bc 1293->1295 1296 72221c2-72221cb 1295->1296 1297 7222264-72222ce 1295->1297 1298 72221d1-72221e7 1296->1298 1299 72220c6-72220d2 1296->1299 1297->1289 1335 72222d4-722281b 1297->1335 1305 7222239-722224b 1298->1305 1306 72221e9-72221ec 1298->1306 1299->1289 1301 72220d8-72220e4 1299->1301 1303 72220e6-72220fa 1301->1303 1304 722215b-7222161 1301->1304 1303->1304 1314 72220fc-7222105 1303->1314 1304->1289 1307 7222167-722217f 1304->1307 1315 7222251-7222261 1305->1315 1316 7222a0c-7222ac2 1305->1316 1306->1289 1309 72221f2-722222f 1306->1309 1307->1289 1318 7222185-72221ad 1307->1318 1309->1297 1331 7222231-7222237 1309->1331 1314->1287 1316->1289 1318->1295 1331->1305 1331->1306 1413 7222832-72228c5 1335->1413 1414 722281d-7222827 1335->1414 1415 72228d0-7222963 1413->1415 1414->1415 1416 722282d 1414->1416 1417 722296e-7222a01 1415->1417 1416->1417 1417->1316
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: D
                                                                                                                                                      • API String ID: 0-2746444292
                                                                                                                                                      • Opcode ID: fe49e8c1db3dcc507a91f5bf0372e7ad185ba1fa5e84fdb068e37a00fc328d16
                                                                                                                                                      • Instruction ID: 60f72ad30d14ebe2fa35c86c8791b1cd79d85e1f4178ac236e31b40b1c23951c
                                                                                                                                                      • Opcode Fuzzy Hash: fe49e8c1db3dcc507a91f5bf0372e7ad185ba1fa5e84fdb068e37a00fc328d16
                                                                                                                                                      • Instruction Fuzzy Hash: BB52C374A112288FDB64DF64D894A9EB7B6FF89300F1041D9E549AB364CF31AE81CF91
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ec41c33cb8a55aae6929c786a572157ec38e8170aa45dfed031e5be2e8484aee
                                                                                                                                                      • Instruction ID: 91eb39936b51f8044e8b3fd091f6a6929d4f663bed34832b274daeafa4d440c0
                                                                                                                                                      • Opcode Fuzzy Hash: ec41c33cb8a55aae6929c786a572157ec38e8170aa45dfed031e5be2e8484aee
                                                                                                                                                      • Instruction Fuzzy Hash: E7526D34A003168FDB15DF28C844B98B7F2FF89314F2586A9D5596F3A1DB71A982CF81
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a7bbba9f21b943751cc0c3023d53a5978852384a9bdcb02b04902eeb35fdf054
                                                                                                                                                      • Instruction ID: 2bee4b158cbc4dfb61ea86db615d9b62131f9cd88142af10b8ab1040beeae401
                                                                                                                                                      • Opcode Fuzzy Hash: a7bbba9f21b943751cc0c3023d53a5978852384a9bdcb02b04902eeb35fdf054
                                                                                                                                                      • Instruction Fuzzy Hash: 9C526D34A003168FDB15DF64C844B98B7F2FF89314F2586A9D5586F3A1DB72A982CF81
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cb0d69a4689b0f75f70c67625fab1c2457629fc2ff74695b9fccf2a93f3a6c92
                                                                                                                                                      • Instruction ID: 1e35e1858c927d77b6369e024754fbef96edc193d0d498e77eab441342cb0f0e
                                                                                                                                                      • Opcode Fuzzy Hash: cb0d69a4689b0f75f70c67625fab1c2457629fc2ff74695b9fccf2a93f3a6c92
                                                                                                                                                      • Instruction Fuzzy Hash: B8E1EBB1B016069FDB2ADB79C460BAEB7F6BF89708F14446ED045AB2A4CF34D801CB51
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ee671c48d1c6c8c2f3af58d19534338b7dff5c65fa1e83a3dd79ff9ea2f1e88e
                                                                                                                                                      • Instruction ID: 3bb136e59fadc66f0124ea8f281e56ace9aa611eae7dabd23342b27aaeb00ac2
                                                                                                                                                      • Opcode Fuzzy Hash: ee671c48d1c6c8c2f3af58d19534338b7dff5c65fa1e83a3dd79ff9ea2f1e88e
                                                                                                                                                      • Instruction Fuzzy Hash: 9312D871D1062ACFCB15DF68C880AD9F7B1FF89300F1586AAD459A7611EB70AAC5CF90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bc3ddb558342672f75aff239888c3a26ff54de226f99e07f40a9fc22491d6fca
                                                                                                                                                      • Instruction ID: 040fd2a030b124660546a89d666a561ba68cca13bbf9fec10602b678a4bd9fdc
                                                                                                                                                      • Opcode Fuzzy Hash: bc3ddb558342672f75aff239888c3a26ff54de226f99e07f40a9fc22491d6fca
                                                                                                                                                      • Instruction Fuzzy Hash: E012C871D1061ACFCB15DF68C880AD9F7B1FF99300F1586AAD859A7611EB70AAC5CF80
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 91a9c1617e5641d099d0b1fe87cfcb465f6afefa42c253a4686e9a3d3289e225
                                                                                                                                                      • Instruction ID: 77b6e230802591de2baa2ef63a5b5a0091c9e016817d3623e5e4d0fa072c216a
                                                                                                                                                      • Opcode Fuzzy Hash: 91a9c1617e5641d099d0b1fe87cfcb465f6afefa42c253a4686e9a3d3289e225
                                                                                                                                                      • Instruction Fuzzy Hash: 83A18275E003199FDB04DFA4D8A4AEDBBBAFF89300F558615E416AF254DB30D885CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c0c97f2e988887e824f2f996eee04ce97f21bc3bae06734f98a10ffbe555b13c
                                                                                                                                                      • Instruction ID: 9bdde920ec3f8f5eca432a1ef796de430e4042573bfa9be629179e92df835b23
                                                                                                                                                      • Opcode Fuzzy Hash: c0c97f2e988887e824f2f996eee04ce97f21bc3bae06734f98a10ffbe555b13c
                                                                                                                                                      • Instruction Fuzzy Hash: 88918D75E003199FCB04DFA4D8A49EDFBBAFF89300B558615E915AB2A4DB30E885CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 79c5fe0883f67663548ed0da50447d1e6d5529d07a6a002651965f0f7dd648a7
                                                                                                                                                      • Instruction ID: 86384eefc38156c9cef727a838084de56998bf38acb075a2ed8c1d267a284d46
                                                                                                                                                      • Opcode Fuzzy Hash: 79c5fe0883f67663548ed0da50447d1e6d5529d07a6a002651965f0f7dd648a7
                                                                                                                                                      • Instruction Fuzzy Hash: 1A21F8B4D146188BEB58CFABD9453EEBBB6EFC9300F14C06AD408A7264DB740546CFA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c9f984e8dfc239721b2ea50790bd328b0f08199c66601bb1a38ea88d52c5328f
                                                                                                                                                      • Instruction ID: e71abbcd01a5f6213df43f071e4e5a10701cbb18b96e4e3effbcf2fd2f2e490f
                                                                                                                                                      • Opcode Fuzzy Hash: c9f984e8dfc239721b2ea50790bd328b0f08199c66601bb1a38ea88d52c5328f
                                                                                                                                                      • Instruction Fuzzy Hash: 2021E7B4D046188BEB58CF9BD9453EEFAF6EFC9300F14C46AD4096A2A4DB740546CFA0

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 294 130e798-130e827 GetCurrentProcess 298 130e830-130e864 GetCurrentThread 294->298 299 130e829-130e82f 294->299 300 130e866-130e86c 298->300 301 130e86d-130e8a1 GetCurrentProcess 298->301 299->298 300->301 303 130e8a3-130e8a9 301->303 304 130e8aa-130e8c2 301->304 303->304 307 130e8cb-130e8fa GetCurrentThreadId 304->307 308 130e903-130e965 307->308 309 130e8fc-130e902 307->309 309->308
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0130E816
                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0130E853
                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0130E890
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0130E8E9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                      • Opcode ID: 3a8d4fa2a4f7554fd726beb366f81945c6269362683e2a0f00a8691d3400f7dc
                                                                                                                                                      • Instruction ID: 698e164f6191e1fb1c4ead1e31d0cd37e229456b1c56a90cb17a68b168a88d96
                                                                                                                                                      • Opcode Fuzzy Hash: 3a8d4fa2a4f7554fd726beb366f81945c6269362683e2a0f00a8691d3400f7dc
                                                                                                                                                      • Instruction Fuzzy Hash: AE5168B4E003498FDB15CFAAD588B9EBBF1EF88309F208859E019A7390D7745944CB66

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 441 1305a84-1305a8f 443 1305b09-1305b33 441->443
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: U
                                                                                                                                                      • API String ID: 0-3372436214
                                                                                                                                                      • Opcode ID: a77c5a45fd105ee38ad5ab1257eda2f742c2e94b6e06a8cc4a463e83e9dfef27
                                                                                                                                                      • Instruction ID: d908cbcfa93d4ff0a04479d9126e47c7f428a30d541735b9e76079ca5f85fb6c
                                                                                                                                                      • Opcode Fuzzy Hash: a77c5a45fd105ee38ad5ab1257eda2f742c2e94b6e06a8cc4a463e83e9dfef27
                                                                                                                                                      • Instruction Fuzzy Hash: 5D31D176C05348CFEB12CFA9C8597AEBBF4EF46318F548089D405AB291C775A949CF41

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1442 754088c-754092d 1444 7540966-7540986 1442->1444 1445 754092f-7540939 1442->1445 1450 75409bf-75409ee 1444->1450 1451 7540988-7540992 1444->1451 1445->1444 1446 754093b-754093d 1445->1446 1448 7540960-7540963 1446->1448 1449 754093f-7540949 1446->1449 1448->1444 1452 754094d-754095c 1449->1452 1453 754094b 1449->1453 1461 7540a27-7540ae1 CreateProcessA 1450->1461 1462 75409f0-75409fa 1450->1462 1451->1450 1454 7540994-7540996 1451->1454 1452->1452 1455 754095e 1452->1455 1453->1452 1456 7540998-75409a2 1454->1456 1457 75409b9-75409bc 1454->1457 1455->1448 1459 75409a4 1456->1459 1460 75409a6-75409b5 1456->1460 1457->1450 1459->1460 1460->1460 1463 75409b7 1460->1463 1473 7540ae3-7540ae9 1461->1473 1474 7540aea-7540b70 1461->1474 1462->1461 1464 75409fc-75409fe 1462->1464 1463->1457 1466 7540a00-7540a0a 1464->1466 1467 7540a21-7540a24 1464->1467 1468 7540a0c 1466->1468 1469 7540a0e-7540a1d 1466->1469 1467->1461 1468->1469 1469->1469 1470 7540a1f 1469->1470 1470->1467 1473->1474 1484 7540b80-7540b84 1474->1484 1485 7540b72-7540b76 1474->1485 1487 7540b94-7540b98 1484->1487 1488 7540b86-7540b8a 1484->1488 1485->1484 1486 7540b78 1485->1486 1486->1484 1490 7540ba8-7540bac 1487->1490 1491 7540b9a-7540b9e 1487->1491 1488->1487 1489 7540b8c 1488->1489 1489->1487 1492 7540bbe-7540bc5 1490->1492 1493 7540bae-7540bb4 1490->1493 1491->1490 1494 7540ba0 1491->1494 1495 7540bc7-7540bd6 1492->1495 1496 7540bdc 1492->1496 1493->1492 1494->1490 1495->1496 1498 7540bdd 1496->1498 1498->1498
                                                                                                                                                      APIs
                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07540ACE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                      • Opcode ID: f33c84bf94788fc3e36a8a1aed0a5cb2a9d0492f7bc3e50b0bc194dad880050e
                                                                                                                                                      • Instruction ID: 7c41ac014fb6097ed75b98bdd410c49325d986c08a4afbe349803719fcae1691
                                                                                                                                                      • Opcode Fuzzy Hash: f33c84bf94788fc3e36a8a1aed0a5cb2a9d0492f7bc3e50b0bc194dad880050e
                                                                                                                                                      • Instruction Fuzzy Hash: B0A15FB1D00319DFEB14DF69C850BEDBBB2BF48318F1485AAD948A7280D7749985CF91

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1499 7540898-754092d 1501 7540966-7540986 1499->1501 1502 754092f-7540939 1499->1502 1507 75409bf-75409ee 1501->1507 1508 7540988-7540992 1501->1508 1502->1501 1503 754093b-754093d 1502->1503 1505 7540960-7540963 1503->1505 1506 754093f-7540949 1503->1506 1505->1501 1509 754094d-754095c 1506->1509 1510 754094b 1506->1510 1518 7540a27-7540ae1 CreateProcessA 1507->1518 1519 75409f0-75409fa 1507->1519 1508->1507 1511 7540994-7540996 1508->1511 1509->1509 1512 754095e 1509->1512 1510->1509 1513 7540998-75409a2 1511->1513 1514 75409b9-75409bc 1511->1514 1512->1505 1516 75409a4 1513->1516 1517 75409a6-75409b5 1513->1517 1514->1507 1516->1517 1517->1517 1520 75409b7 1517->1520 1530 7540ae3-7540ae9 1518->1530 1531 7540aea-7540b70 1518->1531 1519->1518 1521 75409fc-75409fe 1519->1521 1520->1514 1523 7540a00-7540a0a 1521->1523 1524 7540a21-7540a24 1521->1524 1525 7540a0c 1523->1525 1526 7540a0e-7540a1d 1523->1526 1524->1518 1525->1526 1526->1526 1527 7540a1f 1526->1527 1527->1524 1530->1531 1541 7540b80-7540b84 1531->1541 1542 7540b72-7540b76 1531->1542 1544 7540b94-7540b98 1541->1544 1545 7540b86-7540b8a 1541->1545 1542->1541 1543 7540b78 1542->1543 1543->1541 1547 7540ba8-7540bac 1544->1547 1548 7540b9a-7540b9e 1544->1548 1545->1544 1546 7540b8c 1545->1546 1546->1544 1549 7540bbe-7540bc5 1547->1549 1550 7540bae-7540bb4 1547->1550 1548->1547 1551 7540ba0 1548->1551 1552 7540bc7-7540bd6 1549->1552 1553 7540bdc 1549->1553 1550->1549 1551->1547 1552->1553 1555 7540bdd 1553->1555 1555->1555
                                                                                                                                                      APIs
                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07540ACE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                      • Opcode ID: d97449d23b8286e5969f3e87cdaab19bda6d4b76da510066a1f27448ab639020
                                                                                                                                                      • Instruction ID: b688ea3c0893555fadbcf470571b88aca16b33045b4ae5b06357ef39b51d59a6
                                                                                                                                                      • Opcode Fuzzy Hash: d97449d23b8286e5969f3e87cdaab19bda6d4b76da510066a1f27448ab639020
                                                                                                                                                      • Instruction Fuzzy Hash: 6A914FB1D00319DFEB14DF69C850BEDBBB2BF44318F1485AAD948A7280DB749985CF91

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1846 55132e5-5513356 1848 5513361-5513368 1846->1848 1849 5513358-551335e 1846->1849 1850 5513373-55133ab 1848->1850 1851 551336a-5513370 1848->1851 1849->1848 1852 55133b3-5513412 CreateWindowExW 1850->1852 1851->1850 1853 5513414-551341a 1852->1853 1854 551341b-5513453 1852->1854 1853->1854 1858 5513460 1854->1858 1859 5513455-5513458 1854->1859 1860 5513461 1858->1860 1859->1858 1860->1860
                                                                                                                                                      APIs
                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05513402
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                                      • Opcode ID: 3a11db9dbf9a771268969d883a4244a7889281bc9bb69c61aae506761ff5856e
                                                                                                                                                      • Instruction ID: e696601f157e5a433c04e45470b42019bb1513be79a8a289341a776eab57a566
                                                                                                                                                      • Opcode Fuzzy Hash: 3a11db9dbf9a771268969d883a4244a7889281bc9bb69c61aae506761ff5856e
                                                                                                                                                      • Instruction Fuzzy Hash: D551CFB1D003489FDB15CFAAC894ADEBFB5FF48314F24852AE819AB210D774A945CF94

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1861 55132f0-5513356 1862 5513361-5513368 1861->1862 1863 5513358-551335e 1861->1863 1864 5513373-5513412 CreateWindowExW 1862->1864 1865 551336a-5513370 1862->1865 1863->1862 1867 5513414-551341a 1864->1867 1868 551341b-5513453 1864->1868 1865->1864 1867->1868 1872 5513460 1868->1872 1873 5513455-5513458 1868->1873 1874 5513461 1872->1874 1873->1872 1874->1874
                                                                                                                                                      APIs
                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05513402
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                                      • Opcode ID: 59142c4144752ea0ebb35ef7302049f14bd5d70f5ff35da0a6325a792f950592
                                                                                                                                                      • Instruction ID: 51daf9f7203e7ec0d77f57427bd2ceafda6e500b1be652a04a38fbc3b21f0fcf
                                                                                                                                                      • Opcode Fuzzy Hash: 59142c4144752ea0ebb35ef7302049f14bd5d70f5ff35da0a6325a792f950592
                                                                                                                                                      • Instruction Fuzzy Hash: CF41CFB1D003489FDB15CFAAC894ADEFFB5BF48314F24852AE819AB210D7B49945CF94

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1875 5512214-55158fc 1878 5515902-5515907 1875->1878 1879 55159ac-55159cc call 55120ec 1875->1879 1880 5515909-5515940 1878->1880 1881 551595a-5515992 CallWindowProcW 1878->1881 1886 55159cf-55159dc 1879->1886 1888 5515942-5515948 1880->1888 1889 5515949-5515958 1880->1889 1883 5515994-551599a 1881->1883 1884 551599b-55159aa 1881->1884 1883->1884 1884->1886 1888->1889 1889->1886
                                                                                                                                                      APIs
                                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05515981
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CallProcWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2714655100-0
                                                                                                                                                      • Opcode ID: de4180e3497a4e5b6e4cdd2f989a86c112326ae0602f1452472d5d2c2b2d50a9
                                                                                                                                                      • Instruction ID: c6c33ba6c343c56dc1602c43cd7b89f64b8ce02f256e155cd71efe3495d1d5f8
                                                                                                                                                      • Opcode Fuzzy Hash: de4180e3497a4e5b6e4cdd2f989a86c112326ae0602f1452472d5d2c2b2d50a9
                                                                                                                                                      • Instruction Fuzzy Hash: 69411BB4900309DFDB14CF99C488BAABBF5FB88314F24C859E519AB321D775A841CFA5

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1892 13044d4-13059d9 CreateActCtxA 1896 13059e2-1305a3c 1892->1896 1897 13059db-13059e1 1892->1897 1904 1305a4b-1305a4f 1896->1904 1905 1305a3e-1305a41 1896->1905 1897->1896 1906 1305a60 1904->1906 1907 1305a51-1305a5d 1904->1907 1905->1904 1909 1305a61 1906->1909 1907->1906 1909->1909
                                                                                                                                                      APIs
                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Create
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                      • Opcode ID: ed9e3b9438daffad88242da0755b1a914912a959c10d27a54b229dd60de40c3b
                                                                                                                                                      • Instruction ID: 04651255a3f77db39b8b585f170968d59fdd618a54f3a9540d69dbb5e5604762
                                                                                                                                                      • Opcode Fuzzy Hash: ed9e3b9438daffad88242da0755b1a914912a959c10d27a54b229dd60de40c3b
                                                                                                                                                      • Instruction Fuzzy Hash: 5941CFB0C0071CCBEB25CFAAC884B9EBBF5BF49308F648059E409AB251DB755945CF94
                                                                                                                                                      APIs
                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Create
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                      • Opcode ID: 8ac403efa741c26d320687b445efea8c812df102ac9c817138b636630f0cfd6a
                                                                                                                                                      • Instruction ID: c1db95813d00a6f09224d59591da13e89c3d89670c3a194c2eb1b3aaaf87e815
                                                                                                                                                      • Opcode Fuzzy Hash: 8ac403efa741c26d320687b445efea8c812df102ac9c817138b636630f0cfd6a
                                                                                                                                                      • Instruction Fuzzy Hash: 9941D170C00719CBEB25CFAAC888B9DBBF5BF49308F24815AD408AB251DB755949CF50
                                                                                                                                                      APIs
                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075406A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                      • Opcode ID: bf912dfbde175187fd8538012d01e83725e448797cb30b92acbcec467898208b
                                                                                                                                                      • Instruction ID: 3a9b7de5ea0744dc0ffeb44342d75b932fd5ad104bbc0f8365a24d625d619cd8
                                                                                                                                                      • Opcode Fuzzy Hash: bf912dfbde175187fd8538012d01e83725e448797cb30b92acbcec467898208b
                                                                                                                                                      • Instruction Fuzzy Hash: 6B2168B5D00359AFDB10CFA9C884BEEBBF4FF48314F50882AE919A3240C7789541CBA4
                                                                                                                                                      APIs
                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0722F68F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DrawText
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                      • Opcode ID: 3297e8cde5d7764f17021d5e7e953b6651b14c8dc1186e24143379f753100f3f
                                                                                                                                                      • Instruction ID: 152d9784925618da86c9c36a47c2d0a6a5552f9e093e5e1ee24c17bf168b1864
                                                                                                                                                      • Opcode Fuzzy Hash: 3297e8cde5d7764f17021d5e7e953b6651b14c8dc1186e24143379f753100f3f
                                                                                                                                                      • Instruction Fuzzy Hash: 1731D2B5D0024AAFDB10CF9AD984AAEBBF4EB48214F14842EE818A7610D774A545CFA4
                                                                                                                                                      APIs
                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0722F68F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DrawText
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                      • Opcode ID: 8104b4792d64cdb371dd0d778d99f1328643652e4b03eae842ac29593ce5058a
                                                                                                                                                      • Instruction ID: 3ebbd500cb3d26c4d161668fa9e44c8b742a2611aa1933f7af2d9ff66eb75e05
                                                                                                                                                      • Opcode Fuzzy Hash: 8104b4792d64cdb371dd0d778d99f1328643652e4b03eae842ac29593ce5058a
                                                                                                                                                      • Instruction Fuzzy Hash: 7521C4B5D0024AAFDB10CF9AD984AAEFBF5FB48314F14841EE819A7310D374A545CFA4
                                                                                                                                                      APIs
                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075406A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                      • Opcode ID: aaca3845e1def4c3e0183ec9f302c5c53f46610bc6c0194f7ee2f06e1263dd80
                                                                                                                                                      • Instruction ID: c7a9caf2024dea6c9127b55a994c0c44ac3e70cb1aba0eb69d1dd5eb60e85f3d
                                                                                                                                                      • Opcode Fuzzy Hash: aaca3845e1def4c3e0183ec9f302c5c53f46610bc6c0194f7ee2f06e1263dd80
                                                                                                                                                      • Instruction Fuzzy Hash: AF215AB1D003499FDB10DFA9C884BDEBBF4FF48314F10882AE919A7240C7789540CBA4
                                                                                                                                                      APIs
                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075404F6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                      • Opcode ID: 603d127991e60a1f03109aa5217967d0105a742558bad23460991c6346524ac3
                                                                                                                                                      • Instruction ID: 1014d3a5c6b50708dcd9720b404c982f58b4445c0b8579720691a3c41719689f
                                                                                                                                                      • Opcode Fuzzy Hash: 603d127991e60a1f03109aa5217967d0105a742558bad23460991c6346524ac3
                                                                                                                                                      • Instruction Fuzzy Hash: 822148B1D003099FDB14DFAAD484BEEBBF4EF48224F54842AD518A7640C7789645CFA1
                                                                                                                                                      APIs
                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07540780
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                      • Opcode ID: ceaf9e2da2459521aec28ebf56043a2b40b64136ff63e0d4454fd569fa8b14dd
                                                                                                                                                      • Instruction ID: db4021c7c261b0b652c816d72ad3b1a994629fcb8ec79e20e88f443eba35ae20
                                                                                                                                                      • Opcode Fuzzy Hash: ceaf9e2da2459521aec28ebf56043a2b40b64136ff63e0d4454fd569fa8b14dd
                                                                                                                                                      • Instruction Fuzzy Hash: 862125B1C003499FDB14DFAAD880BEEBBF4FF48314F50882AE518A7240D7389505DBA1
                                                                                                                                                      APIs
                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07540780
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                      • Opcode ID: 30115765fd4e31993600b8cbf1afbef93aad26246b770a55c5f3bb55eeeec0d1
                                                                                                                                                      • Instruction ID: f7ce9f569debb37cb25675eec7edee35af080b1ab3729972985f0e135c00732f
                                                                                                                                                      • Opcode Fuzzy Hash: 30115765fd4e31993600b8cbf1afbef93aad26246b770a55c5f3bb55eeeec0d1
                                                                                                                                                      • Instruction Fuzzy Hash: F22114B1C003499FDB14DFAAC884BEEBBF5FF48314F50882AE518A7240D7789941DBA5
                                                                                                                                                      APIs
                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075404F6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                      • Opcode ID: 83cc1f0e7b94def2a2b52ea785390d541fe84205baddcf1ffccaaf63bc7bec33
                                                                                                                                                      • Instruction ID: 813dc97c9b43e6d6fb909568afa27d59f29af80169f093b48a958eaae4b122eb
                                                                                                                                                      • Opcode Fuzzy Hash: 83cc1f0e7b94def2a2b52ea785390d541fe84205baddcf1ffccaaf63bc7bec33
                                                                                                                                                      • Instruction Fuzzy Hash: 492135B1D003499FDB14DFAAC484BEEBBF4EF48224F54842AD518A7240D7789A45CFA5
                                                                                                                                                      APIs
                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0130EA67
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                      • Opcode ID: a36a39c17b10b011fd625d5676602e53dc6d72f3ae486805d4fc4b386f6560d9
                                                                                                                                                      • Instruction ID: 1212a04ce708091556539f920272b0af18bd8b84fdc9cce5935e0abaa1db77e7
                                                                                                                                                      • Opcode Fuzzy Hash: a36a39c17b10b011fd625d5676602e53dc6d72f3ae486805d4fc4b386f6560d9
                                                                                                                                                      • Instruction Fuzzy Hash: BE21E4B5D00248AFDB10CFAAD884ADEFBF8FB48314F14841AE918A3350D374A944CF65
                                                                                                                                                      APIs
                                                                                                                                                      • FindWindowW.USER32(00000000,00000000), ref: 0130B11E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FindWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 134000473-0
                                                                                                                                                      • Opcode ID: e6085dea11b68d32275ec8f17f87fed27f8b87a2dbaab01b6101d4ee2084878f
                                                                                                                                                      • Instruction ID: 210f219287a36cd840d648cdab0440de118f6e7056d2125c7dad4553aeb0dff6
                                                                                                                                                      • Opcode Fuzzy Hash: e6085dea11b68d32275ec8f17f87fed27f8b87a2dbaab01b6101d4ee2084878f
                                                                                                                                                      • Instruction Fuzzy Hash: A02130B9C003098FDB15CF9AC884B9EFBF4FB49214F10852ED419B7640C375A548CBA0
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075405BE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                      • Opcode ID: 1a1c0c7db0a270e8937408e487adeec62a349019122bfd9e0c6dbe93e87937c6
                                                                                                                                                      • Instruction ID: ce52f4d4cd0da9077324662dbe4e61e04cb6e7cc14e2be0d022bdf3f139a8f82
                                                                                                                                                      • Opcode Fuzzy Hash: 1a1c0c7db0a270e8937408e487adeec62a349019122bfd9e0c6dbe93e87937c6
                                                                                                                                                      • Instruction Fuzzy Hash: 571147768003489FDB24DFAAD844BEEBBF5EF48324F14881AE519A7640C7759540CBA1
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075405BE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                      • Opcode ID: 17e371a3fa0c0faef7efebc3ee33620f0ba3fd3acee8c72478ca103c1d1d0c86
                                                                                                                                                      • Instruction ID: 991988a1b0fa3c7c72d06b6837f36be8cfd4e9041185f68eb930f6c32d5dec61
                                                                                                                                                      • Opcode Fuzzy Hash: 17e371a3fa0c0faef7efebc3ee33620f0ba3fd3acee8c72478ca103c1d1d0c86
                                                                                                                                                      • Instruction Fuzzy Hash: 93116771C003489FDB14DFAAC844BEEBBF5EF48324F20881AE519A7640C7759540CFA0
                                                                                                                                                      APIs
                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 07542B1D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                      • Opcode ID: 87609173a436abad7a7efa6728e984394b5060ae9513863ac962a94ad965f261
                                                                                                                                                      • Instruction ID: 1d88f824037c1541546a3f631082a93fcf19578de47fbb4d9e355dc83e9d85ab
                                                                                                                                                      • Opcode Fuzzy Hash: 87609173a436abad7a7efa6728e984394b5060ae9513863ac962a94ad965f261
                                                                                                                                                      • Instruction Fuzzy Hash: D21106B58003499FDB20DF9AD885BDEFBF8FB58324F10841AE518A7600C375A984CFA5
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0130C786
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359946435791.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_1300000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                      • Opcode ID: 5e4b4164ba70cbc99554792c41a08899fd2dbce440844153eaf0a90b76f54e97
                                                                                                                                                      • Instruction ID: e659704850e49fb02175c242ef9d26292a567fade1bf7c853614c35b77fa7c86
                                                                                                                                                      • Opcode Fuzzy Hash: 5e4b4164ba70cbc99554792c41a08899fd2dbce440844153eaf0a90b76f54e97
                                                                                                                                                      • Instruction Fuzzy Hash: 5A110FB9C003498FDB24CFAAC484B9EFBF8EB89614F10855AD518B7640C375A545CFA1
                                                                                                                                                      APIs
                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 07542B1D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                      • Opcode ID: 47e0862bab51534d7878e31b7b9c2f60348abae1b8002206abd4296f174f318d
                                                                                                                                                      • Instruction ID: 316817215d509afb6bd516244e3e128236cc1edded7c5f83a00c32995b9a21ac
                                                                                                                                                      • Opcode Fuzzy Hash: 47e0862bab51534d7878e31b7b9c2f60348abae1b8002206abd4296f174f318d
                                                                                                                                                      • Instruction Fuzzy Hash: 3211D3B58003499FDB10DF9AD885BDEFBF8FB58314F10841AE558A7600C375A944CFA5
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,074C1B99,?,?), ref: 074C1D40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                      • Opcode ID: 39ad24eee0671f1c41f3b5f7b3ec00f024070e620930d73084ffc02e48765292
                                                                                                                                                      • Instruction ID: 860770abcb73544a70c4c2f31b439eccfdaf7fbed1a1ce27c8eebfc36e5c115b
                                                                                                                                                      • Opcode Fuzzy Hash: 39ad24eee0671f1c41f3b5f7b3ec00f024070e620930d73084ffc02e48765292
                                                                                                                                                      • Instruction Fuzzy Hash: 7D1128B5C003499FDB20DF99C484BDEBBF4EB49320F10841AE569A7741D378A544CFA5
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,074C1B99,?,?), ref: 074C1D40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                      • Opcode ID: 108187a8d03bb0d39604b68d8a384572e1a2fb3c91f4de821a388acd17d0ef7f
                                                                                                                                                      • Instruction ID: 8fb211d591f4940551064c6125a749c77c90657ae53f2a562f2d1e15483cb2ee
                                                                                                                                                      • Opcode Fuzzy Hash: 108187a8d03bb0d39604b68d8a384572e1a2fb3c91f4de821a388acd17d0ef7f
                                                                                                                                                      • Instruction Fuzzy Hash: C8115BB5C003499FCB10CF99D484BDEBBF4EB48320F10851AE568A7740C334A544CFA5
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359944916188.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_103d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e7a3b79bd6befe3a52597b6e34ab4b3866bc2fcd9d4030b2a24027bde991796e
                                                                                                                                                      • Instruction ID: 46c21539bd5b44d080ccf22d3a89792f0d2036d31705b8a7c7f913d25083c2e5
                                                                                                                                                      • Opcode Fuzzy Hash: e7a3b79bd6befe3a52597b6e34ab4b3866bc2fcd9d4030b2a24027bde991796e
                                                                                                                                                      • Instruction Fuzzy Hash: A5210372504340EFDB15DF94D9C4B1ABBA9FBC8320F64C5A9E8494B246C336D816CBA2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359945055418.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_104d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d245c21ce91a7474aa7c913ca8c75774dc30cb41a29b5911a81cd62a93452bd9
                                                                                                                                                      • Instruction ID: 86d78aacd97fec24a5c8f24ef7d8f9508b866b242bb3047b30438cc51ecd3777
                                                                                                                                                      • Opcode Fuzzy Hash: d245c21ce91a7474aa7c913ca8c75774dc30cb41a29b5911a81cd62a93452bd9
                                                                                                                                                      • Instruction Fuzzy Hash: 6321F5B1504340AFDB15DFA4D6C0B16BBA5FBA4224F24C5BDE8894B252C336D446CB61
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359945055418.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_104d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 60f52059a9fe0c0d50e9912626ee4c54eda18e11ee87a292ebd0ae1574439421
                                                                                                                                                      • Instruction ID: 7b2582c5e098386841f258a40a4e471bb2282e225956ce1cfe283fdd2b782e62
                                                                                                                                                      • Opcode Fuzzy Hash: 60f52059a9fe0c0d50e9912626ee4c54eda18e11ee87a292ebd0ae1574439421
                                                                                                                                                      • Instruction Fuzzy Hash: 782137B1504300DFDB11DF94D5C4B16BBA1EB84314F24C5BDE8894F282C736D846CB62
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359944916188.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_103d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c140ecf3ad89ae7157a85d9cbb62d8df644cf0240c10d28d5b84d0ad078fb78f
                                                                                                                                                      • Instruction ID: 572e0779fe94272ce7f863578106cd99854c0556bbf31e6249589da843378b50
                                                                                                                                                      • Opcode Fuzzy Hash: c140ecf3ad89ae7157a85d9cbb62d8df644cf0240c10d28d5b84d0ad078fb78f
                                                                                                                                                      • Instruction Fuzzy Hash: 2C21CD76404280CFCB12CF44D9C4B1ABFB2FB84310F24C1AAD8480B657C33AD81ACBA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359945055418.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_104d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cd14bc22f87a00a3258a5f2092a2d89b36cdc84479800a918ace602919013b95
                                                                                                                                                      • Instruction ID: 4d81ca53e72b56d91f89d35ed917ad93d80ddbb32d4d5b1b4b5a8378f51a41a6
                                                                                                                                                      • Opcode Fuzzy Hash: cd14bc22f87a00a3258a5f2092a2d89b36cdc84479800a918ace602919013b95
                                                                                                                                                      • Instruction Fuzzy Hash: F4118BB5504280DFDB12CF58D5C4B55BBA1FB84314F24C6AED8494B696C33AE44ACB62
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359945055418.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_104d000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cd14bc22f87a00a3258a5f2092a2d89b36cdc84479800a918ace602919013b95
                                                                                                                                                      • Instruction ID: 4308741cab8b8a2e8cdeea93b94eeb523357110ac360c3ad85021e1dba5bf603
                                                                                                                                                      • Opcode Fuzzy Hash: cd14bc22f87a00a3258a5f2092a2d89b36cdc84479800a918ace602919013b95
                                                                                                                                                      • Instruction Fuzzy Hash: EE11D0B5504280DFDB12CF54D6C4B15BFA1FB94324F24C6AED8494B656C33AD44ACB51
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951466463.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7220000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 4'q$4'q$4'q$4|q$4|q$$q
                                                                                                                                                      • API String ID: 0-3102600102
                                                                                                                                                      • Opcode ID: fba409450bc0fcea757bec5aa41fc1228dc229634b728bb23211511c3e3e611c
                                                                                                                                                      • Instruction ID: e8c6dd8b5e340c56c93c081e490822b2d5538c3ecc6b57665a58e40462a8993e
                                                                                                                                                      • Opcode Fuzzy Hash: fba409450bc0fcea757bec5aa41fc1228dc229634b728bb23211511c3e3e611c
                                                                                                                                                      • Instruction Fuzzy Hash: E4F1C6B1720226EFD729DF38C494A6D77E6BF85200B1A4469E406CB362CB76DC43D791
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 4'q$:$pq$~
                                                                                                                                                      • API String ID: 0-4038137657
                                                                                                                                                      • Opcode ID: 851ac4211ddb720b991e040c2457cd6ff3b0331dc0817d6ab5bad62b4dbdfa63
                                                                                                                                                      • Instruction ID: 506b0da4e684598ff0ebb810ba795d78bd17b1765826bb56295a3aee9af1634c
                                                                                                                                                      • Opcode Fuzzy Hash: 851ac4211ddb720b991e040c2457cd6ff3b0331dc0817d6ab5bad62b4dbdfa63
                                                                                                                                                      • Instruction Fuzzy Hash: 7442E3B9A00218DFDB55CFA9C990BD9BBB2FF49300F1580E9E509AB265D731AD91CF10
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                                      • Opcode ID: c8864918c1545296d34206cbef018b1792f22a0f70b53e65a8d14b1bcf5f232c
                                                                                                                                                      • Instruction ID: 6eadf61fb304e873b1f43f5fa3e84145b74c67b8d450cb3015c37dcdda83d963
                                                                                                                                                      • Opcode Fuzzy Hash: c8864918c1545296d34206cbef018b1792f22a0f70b53e65a8d14b1bcf5f232c
                                                                                                                                                      • Instruction Fuzzy Hash: 27D1C274A40645CFDB18DF69C598FE9B7F2BF89305F2580A9E405AB361DB31AD01CB60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3706081756a70dea08224199127f0c3c59b2ea21ced4eea718dd7c91700e1a60
                                                                                                                                                      • Instruction ID: 3f965e78e5f6fc185c9dea3d9b49fddeea4b61cdcbab9300addd67760794c4af
                                                                                                                                                      • Opcode Fuzzy Hash: 3706081756a70dea08224199127f0c3c59b2ea21ced4eea718dd7c91700e1a60
                                                                                                                                                      • Instruction Fuzzy Hash: D3E13CB4E102698FDB14DFA8C580AAEFBF2FF49304F24816AD515AB355D730A941CFA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: db0c978f9befacd2275861a2190a4befb65126e07ba64b7f6d0b475753e91db1
                                                                                                                                                      • Instruction ID: fa90925a3fc01947bc1dd62a0fd8d822588ae198c82193903582f9731813d247
                                                                                                                                                      • Opcode Fuzzy Hash: db0c978f9befacd2275861a2190a4befb65126e07ba64b7f6d0b475753e91db1
                                                                                                                                                      • Instruction Fuzzy Hash: 3212B5B0D81745CAD752DF25F86C2893BB2BB81319FD04B09D2611B3E5DBB819AACF44
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c72a71cdae61eeb44c8b505c46bd512e3d4638b5ab0e1a9daef00cfdc6e55e89
                                                                                                                                                      • Instruction ID: 0c310b94f181e9188766097299800fcdbe7cbb9d031fddb14c7e646e0ddf5e56
                                                                                                                                                      • Opcode Fuzzy Hash: c72a71cdae61eeb44c8b505c46bd512e3d4638b5ab0e1a9daef00cfdc6e55e89
                                                                                                                                                      • Instruction Fuzzy Hash: 04E13EB4E102698FDB14DFA8C580AAEFBF2FF89304F24816AD514A7355D7309941CFA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6c1b3de2fbd8d24aee6ad8cb0c7d09aa03b20fef5a346cbb017658de8c1b8167
                                                                                                                                                      • Instruction ID: 33e93e4facbf6ca1e9102f657118cb5f30c513947d05964b6573a4534785fbdd
                                                                                                                                                      • Opcode Fuzzy Hash: 6c1b3de2fbd8d24aee6ad8cb0c7d09aa03b20fef5a346cbb017658de8c1b8167
                                                                                                                                                      • Instruction Fuzzy Hash: 55E13DB4E102198FDB14DFA8C580AAEFBB2FF49304F24816AD915A7359C7349946CFA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 520832f71587f58a14f72be44fe26a6c9be8f63093e92d479ef9b1fe2df2b314
                                                                                                                                                      • Instruction ID: 7defde761d7593832bebd43added7d44cb7e9737a81dea5af328484fb7158876
                                                                                                                                                      • Opcode Fuzzy Hash: 520832f71587f58a14f72be44fe26a6c9be8f63093e92d479ef9b1fe2df2b314
                                                                                                                                                      • Instruction Fuzzy Hash: 93E14EB4E102298FDB14DF98C580AAEFBF2FF49304F24816AD505AB359D7319941CF61
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359952089297.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7540000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 39b89d22c734585833033c426c2705fa36395bb6eae5e9d76bbbfa5cd8cfc37d
                                                                                                                                                      • Instruction ID: 11f75f0950a41c4150a1ac83e37b9035c9562a07c7176e869299ecb6c6a71e44
                                                                                                                                                      • Opcode Fuzzy Hash: 39b89d22c734585833033c426c2705fa36395bb6eae5e9d76bbbfa5cd8cfc37d
                                                                                                                                                      • Instruction Fuzzy Hash: 39E14EB4E102598FDB14DFA8C580AAEFBF2FF89304F248169D519AB395D7309941CFA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3883c8f420b2ffb1b28ecd9baa74d7837ddbf39cdffb5bc82bb79905f0fdc151
                                                                                                                                                      • Instruction ID: 7acc464988a03714133e9afbbe505fbf454822b1b8c17aee89de184afaa928dc
                                                                                                                                                      • Opcode Fuzzy Hash: 3883c8f420b2ffb1b28ecd9baa74d7837ddbf39cdffb5bc82bb79905f0fdc151
                                                                                                                                                      • Instruction Fuzzy Hash: E8A18432E00205CFCF1ADFB5C4945AEBBF6FF84304B1545AAE806AB2A5DB71E955CB40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359950337103.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5510000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4e64494b8d6c764cbda34e05a74cad8abcca983cc01ffa33b5673d9e55ab4db6
                                                                                                                                                      • Instruction ID: 8fc0856984f2a9db57817f87885269de7707a2e8cd6ed958e7f9132cb29b4159
                                                                                                                                                      • Opcode Fuzzy Hash: 4e64494b8d6c764cbda34e05a74cad8abcca983cc01ffa33b5673d9e55ab4db6
                                                                                                                                                      • Instruction Fuzzy Hash: 9AC118B0C81745CBD712DF25F8682993BB2BB85325FD44B09D2612B3D5DBB818AACF44
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.359951854484.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_74c0000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5035e9eded916d610d2e087c60828dfc422ede2533821c446b0fee5736ee6d65
                                                                                                                                                      • Instruction ID: acb60a041990c19d3616c296b0e9bdf2de70c60543a6304f595d2dae83682f5d
                                                                                                                                                      • Opcode Fuzzy Hash: 5035e9eded916d610d2e087c60828dfc422ede2533821c446b0fee5736ee6d65
                                                                                                                                                      • Instruction Fuzzy Hash: 2341CDB5E016198BEB58CF6ADD507DEFBF2AFC9200F14C5AAD508E7214EB309A458F50

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:1.5%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:5.4%
                                                                                                                                                      Signature Coverage:7.7%
                                                                                                                                                      Total number of Nodes:168
                                                                                                                                                      Total number of Limit Nodes:17
                                                                                                                                                      execution_graph 79988 42e703 79991 42c843 79988->79991 79992 42c860 79991->79992 79995 13f2eb0 LdrInitializeThunk 79992->79995 79993 42c88c 79995->79993 79996 42f903 79997 42f913 79996->79997 79998 42f919 79996->79998 80001 42e823 79998->80001 80000 42f93f 80004 42c933 80001->80004 80003 42e83e 80003->80000 80005 42c950 80004->80005 80006 42c961 RtlAllocateHeap 80005->80006 80006->80003 80063 429a63 80064 429ac8 80063->80064 80065 429afb 80064->80065 80068 413a63 80064->80068 80067 429add 80069 413a3b 80068->80069 80072 413a45 80068->80072 80070 413aab 80069->80070 80073 42c893 80069->80073 80070->80067 80072->80067 80074 42c8ad 80073->80074 80077 13f2b90 LdrInitializeThunk 80074->80077 80075 42c8d5 80075->80072 80077->80075 80078 4249a3 80079 4249bf 80078->80079 80080 4249e7 80079->80080 80081 4249fb 80079->80081 80083 42c603 NtClose 80080->80083 80082 42c603 NtClose 80081->80082 80084 424a04 80082->80084 80085 4249f0 80083->80085 80088 42e863 80084->80088 80087 424a0f 80089 42c933 RtlAllocateHeap 80088->80089 80090 42e880 80089->80090 80090->80087 80164 424d33 80165 424d4c 80164->80165 80166 424d94 80165->80166 80169 424dd7 80165->80169 80171 424ddc 80165->80171 80167 42e743 RtlFreeHeap 80166->80167 80168 424da4 80167->80168 80170 42e743 RtlFreeHeap 80169->80170 80170->80171 80172 42bbf3 80173 42bc10 80172->80173 80176 13f2d10 LdrInitializeThunk 80173->80176 80174 42bc38 80176->80174 80007 41e483 80008 41e4a9 80007->80008 80014 41e5a9 80008->80014 80016 42fa33 80008->80016 80010 41e53e 80011 41e5a0 80010->80011 80010->80014 80027 42bc43 80010->80027 80011->80014 80022 4289b3 80011->80022 80015 41e661 80017 42f9a3 80016->80017 80018 42fa00 80017->80018 80019 42e823 RtlAllocateHeap 80017->80019 80018->80010 80020 42f9dd 80019->80020 80031 42e743 80020->80031 80023 428a18 80022->80023 80024 428a53 80023->80024 80037 418b43 80023->80037 80024->80015 80026 428a35 80026->80015 80028 42bc60 80027->80028 80044 13f2b2a 80028->80044 80029 42bc8c 80029->80011 80034 42c983 80031->80034 80033 42e75c 80033->80018 80035 42c99d 80034->80035 80036 42c9ae RtlFreeHeap 80035->80036 80036->80033 80038 418b06 80037->80038 80040 418b2b 80038->80040 80041 42c9d3 80038->80041 80040->80026 80042 42c9f0 80041->80042 80043 42ca01 ExitProcess 80042->80043 80043->80040 80045 13f2b3f LdrInitializeThunk 80044->80045 80046 13f2b31 80044->80046 80045->80029 80046->80029 80053 413f93 80054 413fad 80053->80054 80059 417783 80054->80059 80056 413fcb 80057 414010 80056->80057 80058 413fff PostThreadMessageW 80056->80058 80058->80057 80060 4177a7 80059->80060 80061 4177ae 80060->80061 80062 4177e3 LdrLoadDll 80060->80062 80061->80056 80062->80061 80177 415933 80178 415958 80177->80178 80179 417783 LdrLoadDll 80178->80179 80180 41598e 80179->80180 80182 4159b6 80180->80182 80183 419503 80180->80183 80184 419536 80183->80184 80185 41955a 80184->80185 80190 42c153 80184->80190 80185->80182 80187 41957d 80187->80185 80188 42c603 NtClose 80187->80188 80189 4195fd 80188->80189 80189->80182 80191 42c170 80190->80191 80194 13f2bc0 LdrInitializeThunk 80191->80194 80192 42c19c 80192->80187 80194->80192 80047 418d48 80050 42c603 80047->80050 80049 418d52 80051 42c620 80050->80051 80052 42c631 NtClose 80051->80052 80052->80049 80091 4019ac 80092 4019c1 80091->80092 80095 42fdd3 80092->80095 80098 42e2c3 80095->80098 80099 42e2e7 80098->80099 80110 4072f3 80099->80110 80101 42e310 80109 401ab6 80101->80109 80113 41b093 80101->80113 80103 42e32f 80104 42e344 80103->80104 80105 42c9d3 ExitProcess 80103->80105 80124 4282c3 80104->80124 80105->80104 80107 42e35e 80108 42c9d3 ExitProcess 80107->80108 80108->80109 80112 407300 80110->80112 80128 416443 80110->80128 80112->80101 80114 41b0bf 80113->80114 80139 41af83 80114->80139 80117 41b104 80120 41b120 80117->80120 80122 42c603 NtClose 80117->80122 80118 41b0ec 80119 41b0f7 80118->80119 80121 42c603 NtClose 80118->80121 80119->80103 80120->80103 80121->80119 80123 41b116 80122->80123 80123->80103 80125 428325 80124->80125 80127 428332 80125->80127 80150 4185f3 80125->80150 80127->80107 80129 416460 80128->80129 80131 416479 80129->80131 80132 42d093 80129->80132 80131->80112 80134 42d0ad 80132->80134 80133 42d0dc 80133->80131 80134->80133 80135 42bc43 LdrInitializeThunk 80134->80135 80136 42d13c 80135->80136 80137 42e743 RtlFreeHeap 80136->80137 80138 42d155 80137->80138 80138->80131 80140 41af9d 80139->80140 80144 41b079 80139->80144 80145 42bce3 80140->80145 80143 42c603 NtClose 80143->80144 80144->80117 80144->80118 80146 42bd00 80145->80146 80149 13f34e0 LdrInitializeThunk 80146->80149 80147 41b06d 80147->80143 80149->80147 80152 41861d 80150->80152 80151 418b2b 80151->80127 80152->80151 80158 413c03 80152->80158 80154 41874a 80154->80151 80155 42e743 RtlFreeHeap 80154->80155 80156 418762 80155->80156 80156->80151 80157 42c9d3 ExitProcess 80156->80157 80157->80151 80162 413c23 80158->80162 80160 413c8c 80160->80154 80161 413c82 80161->80154 80162->80160 80163 41b3a3 RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 80162->80163 80163->80161 80195 13f2a80 LdrInitializeThunk

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 236 417783-41779f 237 4177a7-4177ac 236->237 238 4177a2 call 42f443 236->238 239 4177b2-4177c0 call 42fa43 237->239 240 4177ae-4177b1 237->240 238->237 243 4177d0-4177e1 call 42dd93 239->243 244 4177c2-4177cd call 42fce3 239->244 249 4177e3-4177f7 LdrLoadDll 243->249 250 4177fa-4177fd 243->250 244->243 249->250
                                                                                                                                                      APIs
                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177F5
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Load
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                      • Opcode ID: 51851d4ec39353f2ca85b4c7951266f9c96abdf332c5d2b26ea3d7496e6a3412
                                                                                                                                                      • Instruction ID: 342fbc9b8ee469514499ba9cdc9145fcfef3e2de52b2580bdc678dfe16ecd714
                                                                                                                                                      • Opcode Fuzzy Hash: 51851d4ec39353f2ca85b4c7951266f9c96abdf332c5d2b26ea3d7496e6a3412
                                                                                                                                                      • Instruction Fuzzy Hash: 1E0125B5E0020DA7DF10DBE5DC42FDEB778AB54308F4041A6E91897280F675EB58CB95

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 261 42c603-42c63f call 4045c3 call 42d883 NtClose
                                                                                                                                                      APIs
                                                                                                                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C63A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Close
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                      • Opcode ID: 8723b2046e9617f04fa5878fa542770166a1cf607525191e27d71b9daf17b72b
                                                                                                                                                      • Instruction ID: 46ce32cc72a11755face5267556c70fc71b6f08be1bee795c24d5328428b3953
                                                                                                                                                      • Opcode Fuzzy Hash: 8723b2046e9617f04fa5878fa542770166a1cf607525191e27d71b9daf17b72b
                                                                                                                                                      • Instruction Fuzzy Hash: D7E086717006147FD610FA5ADC01F97775CDFC5714F40401AFA08A7181C674790087F5
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: e0f8da02629b756e91432613a46f332db5b33095a38957aad2eca424d8a2aff7
                                                                                                                                                      • Instruction ID: 66182276ece284f335c14317f4506d6abd75ef10fd25dd504c7a130db7592aeb
                                                                                                                                                      • Opcode Fuzzy Hash: e0f8da02629b756e91432613a46f332db5b33095a38957aad2eca424d8a2aff7
                                                                                                                                                      • Instruction Fuzzy Hash: 1C900232A0550502D50171595714706100597D0301F61C826A041456DDC7B58A5175A2

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 276 13f2b90-13f2b9c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 45eb06138c88c7f788cd15198a4e9f1e96ca79f168df4c8837a219c6e48f8f88
                                                                                                                                                      • Instruction ID: 067aaa8fc4fbc7b02b208201356a384378a7d2edb2f40bb542e02a758dbf2f7b
                                                                                                                                                      • Opcode Fuzzy Hash: 45eb06138c88c7f788cd15198a4e9f1e96ca79f168df4c8837a219c6e48f8f88
                                                                                                                                                      • Instruction Fuzzy Hash: A990023260148902D5117159960474A000597D0301F55C826A441465DDC7B589917121
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 4f0aa565dedfb45b1c08805c3232f1e458d1f7ee0f00184cb2073a8994233f15
                                                                                                                                                      • Instruction ID: 1019575995f818d0b588d78709354e427618e4df7f00c837d3540968f23fca5b
                                                                                                                                                      • Opcode Fuzzy Hash: 4f0aa565dedfb45b1c08805c3232f1e458d1f7ee0f00184cb2073a8994233f15
                                                                                                                                                      • Instruction Fuzzy Hash: 4790023260140502D50175996608646000597E0301F51D426A501455AEC77589917131

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 275 13f2a80-13f2a8c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 769827621fe3ccbf47b58cfe1317455de7efff2524dd20d7f5b5c2df75585cf2
                                                                                                                                                      • Instruction ID: 572e6caff69bf1553da5b7ae3a06d1cd2108dfab820c5833f054a5d3988ec51c
                                                                                                                                                      • Opcode Fuzzy Hash: 769827621fe3ccbf47b58cfe1317455de7efff2524dd20d7f5b5c2df75585cf2
                                                                                                                                                      • Instruction Fuzzy Hash: B190026260240103450671595614616400A97E0301B51C436E1004595DC63589917125
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: a391097b66c943e2bf031674a3cae7df1a238d26339d103ada9bcaa4f391d3d6
                                                                                                                                                      • Instruction ID: 0439339e2a657cc26abd9c55bbf9572fc0fd55f646d0eaa17a6c1f2fc4c7fb42
                                                                                                                                                      • Opcode Fuzzy Hash: a391097b66c943e2bf031674a3cae7df1a238d26339d103ada9bcaa4f391d3d6
                                                                                                                                                      • Instruction Fuzzy Hash: 1990023260140513D51271595704707000997D0341F91C827A041455DDD7768A52B121
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: fa5829be2d6eb154383cb23535c4947cf9fe600585339082a8d573289889c6d0
                                                                                                                                                      • Instruction ID: 101b17bac3ba384887fbc355053552c4860f27762d084637f0dff09f17600f40
                                                                                                                                                      • Opcode Fuzzy Hash: fa5829be2d6eb154383cb23535c4947cf9fe600585339082a8d573289889c6d0
                                                                                                                                                      • Instruction Fuzzy Hash: 8C90023260180502D50171595A1470B000597D0302F51C426A115455ADC73589517571

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 413f55-413f5f 1 413f61 0->1 2 413fb2-413fc6 call 42f1f3 call 417783 0->2 3 413f63-413f64 1->3 4 413f1a-413f21 1->4 12 413fcb-413ffd call 404533 call 424e53 2->12 7 413f66-413f6f 3->7 10 413f71 7->10 11 413f39-413f44 7->11 10->7 15 413f73-413f76 10->15 13 413fb7-413fc5 11->13 14 413f46-413f4c 11->14 21 41401d-414023 12->21 22 413fff-41400e PostThreadMessageW 12->22 13->12 17 413fc6 call 417783 13->17 14->0 15->2 17->12 22->21 23 414010-41401a 22->23 23->21
                                                                                                                                                      APIs
                                                                                                                                                      • PostThreadMessageW.USER32(40Z4FIJL,00000111,00000000,00000000), ref: 0041400A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                      • String ID: 40Z4FIJL$40Z4FIJL$<r^
                                                                                                                                                      • API String ID: 1836367815-93288839
                                                                                                                                                      • Opcode ID: 7a3fae6917d1065db17f010c9187f1a1b348d19ad3a127e761fe8a1a2f54fbeb
                                                                                                                                                      • Instruction ID: 14f43b76996dbc01c9c45611d67ec7a4969d92cba718dc021c742bf73b25bfc1
                                                                                                                                                      • Opcode Fuzzy Hash: 7a3fae6917d1065db17f010c9187f1a1b348d19ad3a127e761fe8a1a2f54fbeb
                                                                                                                                                      • Instruction Fuzzy Hash: 3F11C072D00158BADF119EA19C41CEFBB7CDE82798F144196E920AB251C3398F4743D8

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 24 413f17-413f27
                                                                                                                                                      APIs
                                                                                                                                                      • PostThreadMessageW.USER32(40Z4FIJL,00000111,00000000,00000000), ref: 0041400A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                      • String ID: 40Z4FIJL$40Z4FIJL
                                                                                                                                                      • API String ID: 1836367815-312937208
                                                                                                                                                      • Opcode ID: 7bcbca33e351ff64089635d8ddc88468b6229ed10dbdc39dc720a91ed8b81f7a
                                                                                                                                                      • Instruction ID: 3fc794922f037edc8faea526ffc6a4f4f813b021b2789387281e6ce0e299c14d
                                                                                                                                                      • Opcode Fuzzy Hash: 7bcbca33e351ff64089635d8ddc88468b6229ed10dbdc39dc720a91ed8b81f7a
                                                                                                                                                      • Instruction Fuzzy Hash: 0C21AF72904348BFDB029FA0DC80CEEBF7CDE92744B18009AEA505B312E7395D46CBA1

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • PostThreadMessageW.USER32(40Z4FIJL,00000111,00000000,00000000), ref: 0041400A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                      • String ID: 40Z4FIJL$40Z4FIJL
                                                                                                                                                      • API String ID: 1836367815-312937208
                                                                                                                                                      • Opcode ID: af7380f2cadba2fcf36ae817dcaf56b139a0c5f9a3cc40a8596b1c3a900fc053
                                                                                                                                                      • Instruction ID: 45a8a99fedc0d3b76fbf91d227fd9d4e0b3ce7bbea3ff5caeb2a3bf0d23093d7
                                                                                                                                                      • Opcode Fuzzy Hash: af7380f2cadba2fcf36ae817dcaf56b139a0c5f9a3cc40a8596b1c3a900fc053
                                                                                                                                                      • Instruction Fuzzy Hash: 97112972D0021C7BEB10AAA19C81DEFBB7CEF40798F45406AFA1477141D26C8E068BA5

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • PostThreadMessageW.USER32(40Z4FIJL,00000111,00000000,00000000), ref: 0041400A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                      • String ID: 40Z4FIJL$40Z4FIJL
                                                                                                                                                      • API String ID: 1836367815-312937208
                                                                                                                                                      • Opcode ID: faf2c67953caf6af43f5ed44ab7c36e036d671a44f4267780c8ebf1204d39fb7
                                                                                                                                                      • Instruction ID: 54b8239ffde73c3f9b73977429a514009a6cf4fdadf575a3e12687f95c8d8af4
                                                                                                                                                      • Opcode Fuzzy Hash: faf2c67953caf6af43f5ed44ab7c36e036d671a44f4267780c8ebf1204d39fb7
                                                                                                                                                      • Instruction Fuzzy Hash: C4012BB1D0021CBAEB10AAE19C81DEFBB7CDF41798F408069FA1477141D27C5E064BB5

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 251 42c933-42c977 call 4045c3 call 42d883 RtlAllocateHeap
                                                                                                                                                      APIs
                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,0041E53E,?,?,00000000,?,0041E53E,?,?,?), ref: 0042C972
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                      • Opcode ID: b8070198b0dee11de76a4825249b26705f2017c21b5b50a83277ece6a7aa658d
                                                                                                                                                      • Instruction ID: d05bd58f4c375bb0e02caff2fd21d9a616b1d0481aa5f01a8df4f3ae315284ab
                                                                                                                                                      • Opcode Fuzzy Hash: b8070198b0dee11de76a4825249b26705f2017c21b5b50a83277ece6a7aa658d
                                                                                                                                                      • Instruction Fuzzy Hash: C0E06D716042087BDA14EF59DC41F9B73ADEFC5750F004019FA08A7242C670B9108AF5

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 256 42c983-42c9c4 call 4045c3 call 42d883 RtlFreeHeap
                                                                                                                                                      APIs
                                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8B000000,00000007,00000000,00000004,00000000,00417007,000000F4), ref: 0042C9BF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                      • Opcode ID: 8fe101ebf9cafd3ea176687e5d8a00820594e92873123c107cc0ef3a650b3f63
                                                                                                                                                      • Instruction ID: fc2f8942203190a86150e5327b6bff926291328f45f2aa4381757ba2185f1acd
                                                                                                                                                      • Opcode Fuzzy Hash: 8fe101ebf9cafd3ea176687e5d8a00820594e92873123c107cc0ef3a650b3f63
                                                                                                                                                      • Instruction Fuzzy Hash: 79E06D717042187FDA14EE59DC41F9B77ACEFC9710F004019FA08A7242C670B91087B5

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 266 42c9d3-42ca0f call 4045c3 call 42d883 ExitProcess
                                                                                                                                                      APIs
                                                                                                                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,B9F401BE,?,?,B9F401BE), ref: 0042CA0A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExitProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                                      • Opcode ID: 29a07aa1e8443156539bc3c99d1a64d2afca109b35d22d8a73be9ed879bce8cf
                                                                                                                                                      • Instruction ID: 4c6dd57dc15bec32791d0ffa9066440d9ba3236c790b275faa965e79a74e5c57
                                                                                                                                                      • Opcode Fuzzy Hash: 29a07aa1e8443156539bc3c99d1a64d2afca109b35d22d8a73be9ed879bce8cf
                                                                                                                                                      • Instruction Fuzzy Hash: 36E086716402187BD620FA9ADC41FD7775DDFC5714F10442AFA09A7141CA71BA01C7F4

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 271 13f2b2a-13f2b2f 272 13f2b3f-13f2b46 LdrInitializeThunk 271->272 273 13f2b31-13f2b38 271->273
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 672cedc67f0d071037fd6b1ee7525145ca279053a8bd5ae9c39ae01d61c733f7
                                                                                                                                                      • Instruction ID: 95e105f38638e113d56cfaa8a508ffcbcfcf718860631e084e6caf01819814ba
                                                                                                                                                      • Opcode Fuzzy Hash: 672cedc67f0d071037fd6b1ee7525145ca279053a8bd5ae9c39ae01d61c733f7
                                                                                                                                                      • Instruction Fuzzy Hash: BBB09B72D014C5C5DA12E7645708B177900B7D0705F15C476D2460645FC778C591F175
                                                                                                                                                      Strings
                                                                                                                                                      • Thread identifier, xrefs: 01425345
                                                                                                                                                      • double initialized or corrupted critical section, xrefs: 01425313
                                                                                                                                                      • Critical section debug info address, xrefs: 0142522A, 01425339
                                                                                                                                                      • Critical section address, xrefs: 01425230, 014252C7, 0142533F
                                                                                                                                                      • Critical section address., xrefs: 0142530D
                                                                                                                                                      • 8, xrefs: 014250EE
                                                                                                                                                      • corrupted critical section, xrefs: 014252CD
                                                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 0142534E
                                                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014252ED
                                                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014252D9
                                                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01425215, 014252A1, 01425324
                                                                                                                                                      • Invalid debug info address of this critical section, xrefs: 014252C1
                                                                                                                                                      • Address of the debug info found in the active list., xrefs: 014252B9, 01425305
                                                                                                                                                      • undeleted critical section in freed memory, xrefs: 01425236
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                      • API String ID: 0-2368682639
                                                                                                                                                      • Opcode ID: c6ab67cd350f70190ff848cfcfedcaf521eb0dd7f0bbea7f361b2a59997dd978
                                                                                                                                                      • Instruction ID: 3b9bc405205efc086b11b43a3e551ebcd95713a00bc31db33a7cdddf2513792b
                                                                                                                                                      • Opcode Fuzzy Hash: c6ab67cd350f70190ff848cfcfedcaf521eb0dd7f0bbea7f361b2a59997dd978
                                                                                                                                                      • Instruction Fuzzy Hash: F3816D71A41358AFDF20CF99C885BEEBBB4FB49718F60419AF504BB290D774A941CB50
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                                                                                      • API String ID: 0-3532704233
                                                                                                                                                      • Opcode ID: 333b199afc9b161cc52592f1e98aa2f9f33e8f1e72f793556c7110ca8ffac468
                                                                                                                                                      • Instruction ID: ab4392e6100d7f97c082a42f0a22394b3e9d9cb337ef9bfc11a4c256c46d39a4
                                                                                                                                                      • Opcode Fuzzy Hash: 333b199afc9b161cc52592f1e98aa2f9f33e8f1e72f793556c7110ca8ffac468
                                                                                                                                                      • Instruction Fuzzy Hash: 86B19E72508346DFD722CF68C840A5FBBE8EB94718F45492EF989D7750D770D9088B92
                                                                                                                                                      Strings
                                                                                                                                                      • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 013AD0E6
                                                                                                                                                      • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 013AD06F
                                                                                                                                                      • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 013AD202
                                                                                                                                                      • @, xrefs: 013AD09D
                                                                                                                                                      • Control Panel\Desktop\LanguageConfiguration, xrefs: 013AD136
                                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 013AD263
                                                                                                                                                      • @, xrefs: 013AD24F
                                                                                                                                                      • @, xrefs: 013AD2B3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                                                                                      • API String ID: 0-1356375266
                                                                                                                                                      • Opcode ID: 5ec81f6ce273db10b89bbc19f19bd7fdb3fb408642b848fda13e49c45efe608d
                                                                                                                                                      • Instruction ID: aebdad83e2d59dea42fb613980a421082da8637732bb84150aa3b1a2abaec12a
                                                                                                                                                      • Opcode Fuzzy Hash: 5ec81f6ce273db10b89bbc19f19bd7fdb3fb408642b848fda13e49c45efe608d
                                                                                                                                                      • Instruction Fuzzy Hash: F5A18CB15083069FE721DF69C440B9BBBE8FB84719F50492EFA8997250E774D908CB93
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                                                                                                                      • API String ID: 0-2224505338
                                                                                                                                                      • Opcode ID: 42c41f00c086226ce9c49d21b69c3046a58025660301a8a6aa17791e9efe9e1a
                                                                                                                                                      • Instruction ID: 08adfd2fd657f08a877fb9e2275bfe031958a83e4b4c87ed4418525aa4c880b0
                                                                                                                                                      • Opcode Fuzzy Hash: 42c41f00c086226ce9c49d21b69c3046a58025660301a8a6aa17791e9efe9e1a
                                                                                                                                                      • Instruction Fuzzy Hash: A3514636241245EFC791EFACD844E6ABBA4EF04A6CF14845EFD059B333C671D945CA22
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                                                                      • API String ID: 0-523794902
                                                                                                                                                      • Opcode ID: 239379749cd35363c57fbad15d57e4e64aeca8d22ca52d98c332651989c2a51b
                                                                                                                                                      • Instruction ID: 017767de4a3ca2322c4b1e42257aebe7e1aa0ba3883cf0a128f3c51a8c0783e7
                                                                                                                                                      • Opcode Fuzzy Hash: 239379749cd35363c57fbad15d57e4e64aeca8d22ca52d98c332651989c2a51b
                                                                                                                                                      • Instruction Fuzzy Hash: F142F2316087429FC716DF69C484B6BBBE9FF84608F48896EE486CB3A1D734D845CB52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                                                                                      • API String ID: 0-122214566
                                                                                                                                                      • Opcode ID: ef04e703deb1a436893a0bd094921897717f2633b5e45b12ca4672848109c0f2
                                                                                                                                                      • Instruction ID: a8cf5cdb938882b227c6d12cd55e0303e4ff55b2ffa654c0544223f67ca35429
                                                                                                                                                      • Opcode Fuzzy Hash: ef04e703deb1a436893a0bd094921897717f2633b5e45b12ca4672848109c0f2
                                                                                                                                                      • Instruction Fuzzy Hash: F4C16B71A0021A9BDB259F6CC882BBFFBA5EF55B48F14406EE9029B399D774DC44C390
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                      • API String ID: 0-792281065
                                                                                                                                                      • Opcode ID: 9ce47a8d1b059776c7aa0fe8587f9fb23fef1a43118f946ae8f8721a2804dd5f
                                                                                                                                                      • Instruction ID: 128707bd589fc6c4e6dc3b951326c122f1dd1d13ac7330cfdeb26959b999d636
                                                                                                                                                      • Opcode Fuzzy Hash: 9ce47a8d1b059776c7aa0fe8587f9fb23fef1a43118f946ae8f8721a2804dd5f
                                                                                                                                                      • Instruction Fuzzy Hash: 599158B0A01735DBDB359F18D80ABAA7FA5FB24B18F85402EE6056B3F1D7749881C790
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                                                                                                      • API String ID: 0-1745908468
                                                                                                                                                      • Opcode ID: eb7187fe9a7251035a0169401f97d520d451b2d5aa073e4f410b10ea7ced686c
                                                                                                                                                      • Instruction ID: 959f2b237e3853327f2e153e5c138ab2d018cba72f06c692737fc1c057e5691f
                                                                                                                                                      • Opcode Fuzzy Hash: eb7187fe9a7251035a0169401f97d520d451b2d5aa073e4f410b10ea7ced686c
                                                                                                                                                      • Instruction Fuzzy Hash: AD912035A006459FEB52DFA9D440AAEBFF2FF59314F08800EE8419B363CB729945CB02
                                                                                                                                                      Strings
                                                                                                                                                      • LdrpInitShimEngine, xrefs: 01409783, 01409796, 014097BF
                                                                                                                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 0140977C
                                                                                                                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 014097B9
                                                                                                                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01409790
                                                                                                                                                      • apphelp.dll, xrefs: 013A6446
                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 014097A0, 014097C9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                      • API String ID: 0-204845295
                                                                                                                                                      • Opcode ID: b88af33fcc91c6e6a4c7871cd2e3a73c2ac030ca818e47b6e9d75004eedd5180
                                                                                                                                                      • Instruction ID: 99abeb1239862bf6f8453273d3a44222652863247a018712fd87e2aef5e4b5c9
                                                                                                                                                      • Opcode Fuzzy Hash: b88af33fcc91c6e6a4c7871cd2e3a73c2ac030ca818e47b6e9d75004eedd5180
                                                                                                                                                      • Instruction Fuzzy Hash: 7E51F771204305DFE721DF25D891F6B7BE8FB9460CF84452EF589972A1E630D904CB92
                                                                                                                                                      Strings
                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01421FC9
                                                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01421FA9
                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01421F8A
                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01421F82
                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 01421F6F
                                                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 01421F6A, 01421FA4, 01421FC4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                      • API String ID: 0-861424205
                                                                                                                                                      • Opcode ID: 014ffe175348bd566921cf657912ca118b4c0f6ccb08235de25d1fb88232d2ff
                                                                                                                                                      • Instruction ID: fb15272243452dcd16da48916303a55ba1356b9177242ff1da9d1532684bbfa4
                                                                                                                                                      • Opcode Fuzzy Hash: 014ffe175348bd566921cf657912ca118b4c0f6ccb08235de25d1fb88232d2ff
                                                                                                                                                      • Instruction Fuzzy Hash: 6C31FD72B003357BEB205A8B8C59F5B7AACDB64E58F06415AFA1077394C3B0AE41CAD0
                                                                                                                                                      Strings
                                                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 01427F82, 01427FF6
                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01427F8C, 01428000
                                                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 01427FF0
                                                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 01427F7B
                                                                                                                                                      • LdrpInitializeProcess, xrefs: 013EC5E4
                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 013EC5E3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                      • API String ID: 0-475462383
                                                                                                                                                      • Opcode ID: 0f43abed8c677a8809fbae0dce338b008e1697da53d74bd393cf596dfaffad55
                                                                                                                                                      • Instruction ID: a2d4bc186a0dd57e784ba1490ad72d80105cd8943aa217d77b11931934baec84
                                                                                                                                                      • Opcode Fuzzy Hash: 0f43abed8c677a8809fbae0dce338b008e1697da53d74bd393cf596dfaffad55
                                                                                                                                                      • Instruction Fuzzy Hash: AB31C4B16043529BC324EF2DD845E2BBBD4EFA4B18F45455DF9846B3A1E630DC048792
                                                                                                                                                      Strings
                                                                                                                                                      • WindowsExcludedProcs, xrefs: 013D514A
                                                                                                                                                      • Kernel-MUI-Language-Allowed, xrefs: 013D519B
                                                                                                                                                      • Kernel-MUI-Language-SKU, xrefs: 013D534B
                                                                                                                                                      • Kernel-MUI-Language-Disallowed, xrefs: 013D5272
                                                                                                                                                      • Kernel-MUI-Number-Allowed, xrefs: 013D5167
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                      • API String ID: 0-258546922
                                                                                                                                                      • Opcode ID: 5d3e7062331d652510a2696d63e4e38f7189326c46043c16db8e2e0c9335a6b7
                                                                                                                                                      • Instruction ID: 61490fdda9f81e0c86d52d1e5ae3270d8aa1762ae60f26d022873b81bbe62605
                                                                                                                                                      • Opcode Fuzzy Hash: 5d3e7062331d652510a2696d63e4e38f7189326c46043c16db8e2e0c9335a6b7
                                                                                                                                                      • Instruction Fuzzy Hash: 5EF11C72D01219EFDB11DF99D980AEEBBB8FF18658F14406AE505F7210EB709E05CBA0
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                      • API String ID: 0-379654539
                                                                                                                                                      • Opcode ID: 6b1b88055ded257fbe491fae13ba0d005b1a900badbc0e0f1aa758d41d380b33
                                                                                                                                                      • Instruction ID: 2d4f7157edae4759cb5dff4eca489bac24b06c9cb32824d2ec6e46b54b4f309a
                                                                                                                                                      • Opcode Fuzzy Hash: 6b1b88055ded257fbe491fae13ba0d005b1a900badbc0e0f1aa758d41d380b33
                                                                                                                                                      • Instruction Fuzzy Hash: 79C16D71108786CFD721CF18C080BAAB7E4BF84748F04496AFA95DBB51E778CA49CB56
                                                                                                                                                      Strings
                                                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 013E847E
                                                                                                                                                      • LdrpInitializeProcess, xrefs: 013E8342
                                                                                                                                                      • @, xrefs: 013E84B1
                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 013E8341
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                      • API String ID: 0-1918872054
                                                                                                                                                      • Opcode ID: 318e944c682dbc5bf007a723fd94db5e13929f2df06dab2f0ef8b1071b257a08
                                                                                                                                                      • Instruction ID: 26ba8a044b6aa0e3cc60f184161d0ccb921a84c3216ab9e708d9336cbaecf05e
                                                                                                                                                      • Opcode Fuzzy Hash: 318e944c682dbc5bf007a723fd94db5e13929f2df06dab2f0ef8b1071b257a08
                                                                                                                                                      • Instruction Fuzzy Hash: 24919E71608355AFE721DF69C844FABBBECEB84748F40096EFA8492191E734D944CB62
                                                                                                                                                      Strings
                                                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01410EB5
                                                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01410E72
                                                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01410E2F
                                                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01410DEC
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                      • API String ID: 0-1468400865
                                                                                                                                                      • Opcode ID: 1ba86fbb79fbc7e86c6e6ad4aa8b64d800ce2e4143bc57f2b10075d67965b8c7
                                                                                                                                                      • Instruction ID: 66899bc2fb189da831ad8b860f9768cc12d91a6ec4807adb3e9a3e064fd141dc
                                                                                                                                                      • Opcode Fuzzy Hash: 1ba86fbb79fbc7e86c6e6ad4aa8b64d800ce2e4143bc57f2b10075d67965b8c7
                                                                                                                                                      • Instruction Fuzzy Hash: D47121B19047059FCB21DF19C8C1B9B3FA9EF94768F400469FA489B697D334D588CB91
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                                                                      • API String ID: 0-2586055223
                                                                                                                                                      • Opcode ID: cdc2e746cdb8ff305e382d8c5910c91157a5b30bd53f76470c2b63138f8c1a7b
                                                                                                                                                      • Instruction ID: 66d31808fe4b2e8aca698493b27ee39e5dfb82970e50c40cc2ffe6313c7f291c
                                                                                                                                                      • Opcode Fuzzy Hash: cdc2e746cdb8ff305e382d8c5910c91157a5b30bd53f76470c2b63138f8c1a7b
                                                                                                                                                      • Instruction Fuzzy Hash: 5B6105312447419FE722DB69C844F6BBBECEF94B58F04486EFA559B2E1C634D800C762
                                                                                                                                                      Strings
                                                                                                                                                      • LdrpCompleteMapModule, xrefs: 0141A39D
                                                                                                                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 0141A396
                                                                                                                                                      • MZER, xrefs: 013D1608
                                                                                                                                                      • minkernel\ntdll\ldrmap.c, xrefs: 0141A3A7
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
                                                                                                                                                      • API String ID: 0-1409021520
                                                                                                                                                      • Opcode ID: 9c67ce2cca73b32ca0f1f3d8adf41ed446bcdbe31fe89d759f92aa810a643e8a
                                                                                                                                                      • Instruction ID: 3bb5a29f2e7d4a39146757b8099836bf11c54897a6fafcc29f2c455808f75e81
                                                                                                                                                      • Opcode Fuzzy Hash: 9c67ce2cca73b32ca0f1f3d8adf41ed446bcdbe31fe89d759f92aa810a643e8a
                                                                                                                                                      • Instruction Fuzzy Hash: 2F514B32A04785DBEB22CF6CD944B6A7BE5FF00718F584169E9529B7E2D778E900CB40
                                                                                                                                                      Strings
                                                                                                                                                      • LdrpDynamicShimModule, xrefs: 0141A7A5
                                                                                                                                                      • apphelp.dll, xrefs: 013D2382
                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0141A7AF
                                                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0141A79F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                      • API String ID: 0-176724104
                                                                                                                                                      • Opcode ID: 89156bfc11e472e282e5619ae073c87335a0e8815de6079461576011e83fb8e4
                                                                                                                                                      • Instruction ID: 683d0aac577731d37dff90c8487257b8b47e9ef5e256131e717f4720aaf77b63
                                                                                                                                                      • Opcode Fuzzy Hash: 89156bfc11e472e282e5619ae073c87335a0e8815de6079461576011e83fb8e4
                                                                                                                                                      • Instruction Fuzzy Hash: 2A315B72A01241EBEB319F1DD881A6F7BB4FB80B04F6A401EE90167379EB709942C750
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                                                                                      • API String ID: 2994545307-1391187441
                                                                                                                                                      • Opcode ID: cfdc176a34354fd3b3e7c7bd045f99244fc2aeb1ddf66c3d0698dc558f113c3a
                                                                                                                                                      • Instruction ID: ead0433bbe369012e4a1fecaaffdaa0b6d646ed5476bf17a2522b7fb6ad2221f
                                                                                                                                                      • Opcode Fuzzy Hash: cfdc176a34354fd3b3e7c7bd045f99244fc2aeb1ddf66c3d0698dc558f113c3a
                                                                                                                                                      • Instruction Fuzzy Hash: CC310B36A00209EFCB11DB59CC84F9ABBB8EF45768F14406AF905B73A1D770EA40CB60
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: $ $0
                                                                                                                                                      • API String ID: 0-3352262554
                                                                                                                                                      • Opcode ID: 59c99f8e2e4664df73de2e97b051d0cd825c022c16a220a20e892f4342351a7a
                                                                                                                                                      • Instruction ID: da2c235d7aeb9ce8ddaff6b9f656313d07e80b7a9082bdad3c4d58d46c7652c9
                                                                                                                                                      • Opcode Fuzzy Hash: 59c99f8e2e4664df73de2e97b051d0cd825c022c16a220a20e892f4342351a7a
                                                                                                                                                      • Instruction Fuzzy Hash: 983217B1608381CFE390CF68C584B5BBBE5BB88348F04492EF99987361D775E949CB52
                                                                                                                                                      Strings
                                                                                                                                                      • HEAP: , xrefs: 013B14B6
                                                                                                                                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 013B1648
                                                                                                                                                      • HEAP[%wZ]: , xrefs: 013B1632
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                                                                      • API String ID: 0-3178619729
                                                                                                                                                      • Opcode ID: afc576a10197bf78816bb4ee6bd8d24c75608f9eaa44cf21a3dadab8b2015581
                                                                                                                                                      • Instruction ID: 8d9b1fec8e6029531fc1b44833a2225d4e7cd86af12e7dc47607e580bb1afcc8
                                                                                                                                                      • Opcode Fuzzy Hash: afc576a10197bf78816bb4ee6bd8d24c75608f9eaa44cf21a3dadab8b2015581
                                                                                                                                                      • Instruction Fuzzy Hash: 33E148306002459FDB25CF2DD4A07BABBF5EF44318F18846EEA96DBA86E334D944C750
                                                                                                                                                      Strings
                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014200F1
                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014200C7
                                                                                                                                                      • RTL: Re-Waiting, xrefs: 01420128
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                      • Opcode ID: 6f95bf547ee1899298070a2cbab30e9c1e4b8fdb57374f35b0132a2f2a94a9cd
                                                                                                                                                      • Instruction ID: fbc51127c55a513a00ab9c07fa218f7619ac9aacd5d434a13a78f3e169da431d
                                                                                                                                                      • Opcode Fuzzy Hash: 6f95bf547ee1899298070a2cbab30e9c1e4b8fdb57374f35b0132a2f2a94a9cd
                                                                                                                                                      • Instruction Fuzzy Hash: DFE1C071608741DFD725CF2CD880B2ABBE5BB84328F140A1EF5A68B6E1D774D946CB42
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                                                                                      • API String ID: 0-1145731471
                                                                                                                                                      • Opcode ID: f74767356371d3f61645d5faba27a969177bfc188859bb961e3905e8e9c0bf67
                                                                                                                                                      • Instruction ID: 97434b8da7cb0881f28d378e1531980b5badf5614349564fe2afec2ad8140edc
                                                                                                                                                      • Opcode Fuzzy Hash: f74767356371d3f61645d5faba27a969177bfc188859bb961e3905e8e9c0bf67
                                                                                                                                                      • Instruction Fuzzy Hash: B8B1B331A016058FDB25CF59C990BADBBB5BF54728F14882AE619DBBA4E730D840CF10
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                                                                                      • API String ID: 0-2391371766
                                                                                                                                                      • Opcode ID: a4976cd79efe37f5f212595cab4563eabaa4fe31b3eceeb3322387c31205b778
                                                                                                                                                      • Instruction ID: f1ecc9b949be06d9605fb3cbf125c1c15e49a10d2acaa25320e9618b123c8d7d
                                                                                                                                                      • Opcode Fuzzy Hash: a4976cd79efe37f5f212595cab4563eabaa4fe31b3eceeb3322387c31205b778
                                                                                                                                                      • Instruction Fuzzy Hash: B6B1A271604345AFE721DF58C880B6BBBE8BB88714F45492EFA549B3A0D771EC04CB92
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                      • API String ID: 0-2779062949
                                                                                                                                                      • Opcode ID: 8286b4cdf58e9795796d0f710c2dac9608c892d76579de632a4ce616ffb975a3
                                                                                                                                                      • Instruction ID: 9044689b9a54c06e9e882d06f99ca79a32f5d4abdbb0793d29d7d4658f09a3bd
                                                                                                                                                      • Opcode Fuzzy Hash: 8286b4cdf58e9795796d0f710c2dac9608c892d76579de632a4ce616ffb975a3
                                                                                                                                                      • Instruction Fuzzy Hash: E8A15172911229DBDB32DF68CC88B9AB7B4EF04714F1001EAE909A7250D735AE85CF50
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                                                                                      • API String ID: 0-318774311
                                                                                                                                                      • Opcode ID: 01d5de6518f88f735dc4488a8fc328dc90c0c5868e7e872f591fed8ea62172dd
                                                                                                                                                      • Instruction ID: c439033acb974196720bccddea7cd9f1e6e1a73eeeb68cf0ab14acb293c8383a
                                                                                                                                                      • Opcode Fuzzy Hash: 01d5de6518f88f735dc4488a8fc328dc90c0c5868e7e872f591fed8ea62172dd
                                                                                                                                                      • Instruction Fuzzy Hash: DB818B71208351AFF721CF19C840B6BBBE8BF84B54F04492EFA819B3A0DB70D9048B52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                                                                                                                      • API String ID: 0-3870751728
                                                                                                                                                      • Opcode ID: dfc2ca63a5477eecab52e2c2bcb16b13932a32f396d509359f103e44cdbf3379
                                                                                                                                                      • Instruction ID: fd92e4946a2bbf344c51ee0a6781155ba8dcc08a2054cd0d4a9c867c7fd9ab5d
                                                                                                                                                      • Opcode Fuzzy Hash: dfc2ca63a5477eecab52e2c2bcb16b13932a32f396d509359f103e44cdbf3379
                                                                                                                                                      • Instruction Fuzzy Hash: ED912DB0E006059FEB14CFA9C480BADBBF1BF9C315F14816AE945AB3A1E7759842CF54
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                                                                                                                      • API String ID: 0-373624363
                                                                                                                                                      • Opcode ID: f914231b26d556e2d0fafb59aab3d980855641a25bd9b3191c4b639e3e65f0f0
                                                                                                                                                      • Instruction ID: 6251631247ad1c89edcee78790adab4d5c2ea0c5352722a91ef46da857eb8ac8
                                                                                                                                                      • Opcode Fuzzy Hash: f914231b26d556e2d0fafb59aab3d980855641a25bd9b3191c4b639e3e65f0f0
                                                                                                                                                      • Instruction Fuzzy Hash: 3691D331A05249CFDB21CF58C4807EEB7B4FF04728F14459AEA15AB798EB78DA40CB91
                                                                                                                                                      Strings
                                                                                                                                                      • TargetNtPath, xrefs: 0148B3AF
                                                                                                                                                      • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0148B3AA
                                                                                                                                                      • GlobalizationUserSettings, xrefs: 0148B3B4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                                                                                      • API String ID: 0-505981995
                                                                                                                                                      • Opcode ID: 76769f3bdbf59b50e65c8773c617124edf8c917ec71146d159cf28e11a1d1546
                                                                                                                                                      • Instruction ID: c94b17e8a9e8e21d020062c144264a5391a395d7ac88f2cb3c82a378fd0493da
                                                                                                                                                      • Opcode Fuzzy Hash: 76769f3bdbf59b50e65c8773c617124edf8c917ec71146d159cf28e11a1d1546
                                                                                                                                                      • Instruction Fuzzy Hash: 626143719416299FDB31AF58DC88B9EBBB8EB14714F0101E9EA08A7260D774DE85CF90
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                                                                                                                      • API String ID: 0-2283098728
                                                                                                                                                      • Opcode ID: 385bae8c030b41bcbdafc0f9996f9167990c07af677395b0f9550403ee63d1b4
                                                                                                                                                      • Instruction ID: 5f2e1c17313ec5438a05e70662f686b916ba7e3213125b03e1510c08b277f0f6
                                                                                                                                                      • Opcode Fuzzy Hash: 385bae8c030b41bcbdafc0f9996f9167990c07af677395b0f9550403ee63d1b4
                                                                                                                                                      • Instruction Fuzzy Hash: 95515972700302DBD725EF3CE885B2A7BA5BB94B1CF1A062DE5469B695E770A804C781
                                                                                                                                                      Strings
                                                                                                                                                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0140E455
                                                                                                                                                      • HEAP: , xrefs: 0140E442
                                                                                                                                                      • HEAP[%wZ]: , xrefs: 0140E435
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                                                                                      • API String ID: 0-1340214556
                                                                                                                                                      • Opcode ID: f1cbfcbd255671776e45410068d946e910ea0277298e796be2ffefd2c19731d0
                                                                                                                                                      • Instruction ID: c3657216c693630e37653bd97cfe176659e780c511351c8394fb800721f04953
                                                                                                                                                      • Opcode Fuzzy Hash: f1cbfcbd255671776e45410068d946e910ea0277298e796be2ffefd2c19731d0
                                                                                                                                                      • Instruction Fuzzy Hash: FE51F331604685AFE712DBA9C884FAEBFFCFF04708F0444A9E5519B6A2D774E910CB50
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                                                                                                                      • API String ID: 0-1151232445
                                                                                                                                                      • Opcode ID: 7619b7af9f0fa9208cce5121ced363690a15dbc18ecbe5fd8823d54e33345ef1
                                                                                                                                                      • Instruction ID: 59591755d4263eb0c0ce57377fecea5295ad0e387a4b8a68e7384129c8c8e91e
                                                                                                                                                      • Opcode Fuzzy Hash: 7619b7af9f0fa9208cce5121ced363690a15dbc18ecbe5fd8823d54e33345ef1
                                                                                                                                                      • Instruction Fuzzy Hash: 364128346403809FEF3ACB1EC0D87767B91DF41218F78447AD9868BAB6C676D446C761
                                                                                                                                                      Strings
                                                                                                                                                      • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 01421943
                                                                                                                                                      • minkernel\ntdll\ldrtls.c, xrefs: 01421954
                                                                                                                                                      • LdrpAllocateTls, xrefs: 0142194A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                                                                                      • API String ID: 0-4274184382
                                                                                                                                                      • Opcode ID: 9391de319e2c074d842ec52bb85bc4e5ff4523aeb989d56133751cee7e9d4944
                                                                                                                                                      • Instruction ID: 95c6ca77a71de5782a4999f1bb2014a5fae564fa0409f46c79e690ead59b8fe7
                                                                                                                                                      • Opcode Fuzzy Hash: 9391de319e2c074d842ec52bb85bc4e5ff4523aeb989d56133751cee7e9d4944
                                                                                                                                                      • Instruction Fuzzy Hash: 6D41ACB5A00315AFDB15DFA9C881BAEBBF5FF58708F44811AE505AB360D775A840CF90
                                                                                                                                                      Strings
                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01434519
                                                                                                                                                      • LdrpCheckRedirection, xrefs: 0143450F
                                                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01434508
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                      • API String ID: 0-3154609507
                                                                                                                                                      • Opcode ID: e9a0b4d6c6809ed08af7fad5ee0660930bc4eeedfe231b2930791db33cd4cee4
                                                                                                                                                      • Instruction ID: b37745bca911bb129d56cebd9054d6d70b8950b2d53c8fcaa81f87560f22820f
                                                                                                                                                      • Opcode Fuzzy Hash: e9a0b4d6c6809ed08af7fad5ee0660930bc4eeedfe231b2930791db33cd4cee4
                                                                                                                                                      • Instruction Fuzzy Hash: FE41B032604211ABCB21CF59D940AA7BBE4AFEC654B0E067FED9897376D730DC018B91
                                                                                                                                                      Strings
                                                                                                                                                      • RtlCreateActivationContext, xrefs: 01422803
                                                                                                                                                      • Actx , xrefs: 013E32CC
                                                                                                                                                      • SXS: %s() passed the empty activation context data, xrefs: 01422808
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                                                                                      • API String ID: 0-859632880
                                                                                                                                                      • Opcode ID: a23fded6d99e31576a27c362e078da9177d5f517852a157fe0f21cdbbb7730d6
                                                                                                                                                      • Instruction ID: 1797dc50a59564c95450f424db9cbdc4907164d85143a31ff3cb275909840d6d
                                                                                                                                                      • Opcode Fuzzy Hash: a23fded6d99e31576a27c362e078da9177d5f517852a157fe0f21cdbbb7730d6
                                                                                                                                                      • Instruction Fuzzy Hash: 5C3131326003259BEB12CE18C884F9A7BE4BB48718F00452AFE019F391DBB1EC46CBD0
                                                                                                                                                      Strings
                                                                                                                                                      • @, xrefs: 0143B2F0
                                                                                                                                                      • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0143B2B2
                                                                                                                                                      • GlobalFlag, xrefs: 0143B30F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                                                                                                                      • API String ID: 0-4192008846
                                                                                                                                                      • Opcode ID: 3f700974b23399c13020f05f665bdd388455a2d281532fccc42499939b9eaf15
                                                                                                                                                      • Instruction ID: f36d427ecb573b6882bb1f4cc54accabd7d89d31ea4ac7b4845e44f3173925e0
                                                                                                                                                      • Opcode Fuzzy Hash: 3f700974b23399c13020f05f665bdd388455a2d281532fccc42499939b9eaf15
                                                                                                                                                      • Instruction Fuzzy Hash: 3B3141B1A00219AEDB10EF99CC81BEFBB7CEF58744F44046AEA15A7251D7749E048B90
                                                                                                                                                      Strings
                                                                                                                                                      • DLL "%wZ" has TLS information at %p, xrefs: 0142184A
                                                                                                                                                      • minkernel\ntdll\ldrtls.c, xrefs: 0142185B
                                                                                                                                                      • LdrpInitializeTls, xrefs: 01421851
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                                                                                      • API String ID: 0-931879808
                                                                                                                                                      • Opcode ID: ac0ba9cad592fe96f6a8eed974fa09689a403aaf781a2d3b077f41f590c08b4c
                                                                                                                                                      • Instruction ID: e3445a0c9a3748d28a668292b84163f163c5719ab4a386e6355c28b698df36ce
                                                                                                                                                      • Opcode Fuzzy Hash: ac0ba9cad592fe96f6a8eed974fa09689a403aaf781a2d3b077f41f590c08b4c
                                                                                                                                                      • Instruction Fuzzy Hash: 18310C71A10315FBE7209F59CD89F6A7BECFB5074CF46012AE506AB2E0D7B0AD458790
                                                                                                                                                      Strings
                                                                                                                                                      • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 013F119B
                                                                                                                                                      • @, xrefs: 013F11C5
                                                                                                                                                      • BuildLabEx, xrefs: 013F122F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                      • API String ID: 0-3051831665
                                                                                                                                                      • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                      • Instruction ID: 230821db17307343d3553e72f5656e63e54bef529100a41d875feb698ab318f7
                                                                                                                                                      • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                      • Instruction Fuzzy Hash: 2C3172B690021AFBDF11DBD8DC44EEFBBBDEB54658F004029E604A72A0D730DA058B90
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$@
                                                                                                                                                      • API String ID: 0-149943524
                                                                                                                                                      • Opcode ID: 9e17e43fedd91686f1e8b16e2ab4d1c09865a3dc97fca983796f15d13a14d524
                                                                                                                                                      • Instruction ID: 9e56f99982aebb17eb0ffe29d982b8ead7968a7c93af726928eb96301673fb7a
                                                                                                                                                      • Opcode Fuzzy Hash: 9e17e43fedd91686f1e8b16e2ab4d1c09865a3dc97fca983796f15d13a14d524
                                                                                                                                                      • Instruction Fuzzy Hash: 37329C716083118BD724CF19C480B3FBBE6AF89B58F15491EFA96872A0E774EC44CB52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @$AddD
                                                                                                                                                      • API String ID: 0-2525844869
                                                                                                                                                      • Opcode ID: 7e0c8600233cf34311f91910930b339df3dcb34f269aa69f82bd2a9346ac5fe2
                                                                                                                                                      • Instruction ID: a0b4511b24d617d9fd6396aa7a15bff926d4bfb47b7d00d990491b6859952a6c
                                                                                                                                                      • Opcode Fuzzy Hash: 7e0c8600233cf34311f91910930b339df3dcb34f269aa69f82bd2a9346ac5fe2
                                                                                                                                                      • Instruction Fuzzy Hash: 12A14D72104345AFE315DB18C945BABBBE9FFC8B05F144A2EFA9487260E770E905CB52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                                                      • Opcode ID: 605524256b296eb2d01391d4a50723998428b4013fdfd5bea8afb254312ac391
                                                                                                                                                      • Instruction ID: e0ba53597b1d2b67c05570d4a546ce0878fa1bcc1bb1075ef448c4861fa93e86
                                                                                                                                                      • Opcode Fuzzy Hash: 605524256b296eb2d01391d4a50723998428b4013fdfd5bea8afb254312ac391
                                                                                                                                                      • Instruction Fuzzy Hash: 49619F71A003199FDB24DFA9C840BAEBBB4FF04744F54402EE649EB261E730E981CB50
                                                                                                                                                      Strings
                                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 0148B5C4
                                                                                                                                                      • RedirectedKey, xrefs: 0148B60E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                                                                                                                      • API String ID: 0-1388552009
                                                                                                                                                      • Opcode ID: 69e21cfe88d976ca4213b7f5ffd1434f8b3bd2a7449d9df9352c7ac7c01d7e78
                                                                                                                                                      • Instruction ID: 061b739678572cf79f9f67e272f8d1ef70882170af02165ae4a8504c625e0f1a
                                                                                                                                                      • Opcode Fuzzy Hash: 69e21cfe88d976ca4213b7f5ffd1434f8b3bd2a7449d9df9352c7ac7c01d7e78
                                                                                                                                                      • Instruction Fuzzy Hash: F96124B5D00319EFDB21EF94D888ADEBFB9FB08714F64406AE905A7210D7709A45CFA1
                                                                                                                                                      Strings
                                                                                                                                                      • kLsE, xrefs: 013B05FE
                                                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013B0586
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                      • API String ID: 0-2547482624
                                                                                                                                                      • Opcode ID: cbb5ed40764261fcb081dbaea8ce14871dbed65ff933a23af734287eeaee059d
                                                                                                                                                      • Instruction ID: 3c95d5d1a92cd6b0272b9a439dd496b125ff40f7cb84e7e34a12a71a1951d929
                                                                                                                                                      • Opcode Fuzzy Hash: cbb5ed40764261fcb081dbaea8ce14871dbed65ff933a23af734287eeaee059d
                                                                                                                                                      • Instruction Fuzzy Hash: 84519F71A0474ADFDB28DFA9C4806EBB7F8AF44308F10483FE69693E51E6349505CB61
                                                                                                                                                      Strings
                                                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 013BA229
                                                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 013BA21B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                      • API String ID: 0-2876891731
                                                                                                                                                      • Opcode ID: 2b918a1333d77611f49b5ff9ca7bcd19f9cd7d17d4b93903ac1071256f16e0f2
                                                                                                                                                      • Instruction ID: de8327150f0029b979695fa824ab592747b57b039bb58ac23d96d1472fed158f
                                                                                                                                                      • Opcode Fuzzy Hash: 2b918a1333d77611f49b5ff9ca7bcd19f9cd7d17d4b93903ac1071256f16e0f2
                                                                                                                                                      • Instruction Fuzzy Hash: 0141AE30B00A559BDB15CF5DC480BAABBB5FF45748F2480A6EA04DF7A5F676D900CB10
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                                                                                      • API String ID: 0-118005554
                                                                                                                                                      • Opcode ID: 269431ef43f3a701c63b19817f4792d654c12178a3e8b769f421de541919819e
                                                                                                                                                      • Instruction ID: 5ebe7eaf1a45431faeafb96e88d9f4519b84f26238d497c5855c52754eb520fd
                                                                                                                                                      • Opcode Fuzzy Hash: 269431ef43f3a701c63b19817f4792d654c12178a3e8b769f421de541919819e
                                                                                                                                                      • Instruction Fuzzy Hash: 7E31DC312087529BE315DF6DD844B2ABBE4FF84B14F08486AEE558B3A0EA30D905CB52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: .Local\$@
                                                                                                                                                      • API String ID: 0-380025441
                                                                                                                                                      • Opcode ID: 3101910f3183ce98f931e212e17c879783050e7ab91fe9150815579e6e1e092c
                                                                                                                                                      • Instruction ID: a855b4f4b569ff1e3c5eadd01c18cb61ad3a740045049feaf369e3fbc3da88cf
                                                                                                                                                      • Opcode Fuzzy Hash: 3101910f3183ce98f931e212e17c879783050e7ab91fe9150815579e6e1e092c
                                                                                                                                                      • Instruction Fuzzy Hash: 29318FB1509315AFD721DF2CC984AABBBE8FB85658F00092EF9D583290D735DD08CB92
                                                                                                                                                      Strings
                                                                                                                                                      • RtlpInitializeAssemblyStorageMap, xrefs: 0142289A
                                                                                                                                                      • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 0142289F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                                                                                                                      • API String ID: 0-2653619699
                                                                                                                                                      • Opcode ID: 51bf1c6cb6402e7212c72360a8a2069661792151a9d22173a37c5b6d06b97690
                                                                                                                                                      • Instruction ID: 222da763f152f6c4c88ee6bc011d1b8a617fa091e76183327612a2a7d2c88e44
                                                                                                                                                      • Opcode Fuzzy Hash: 51bf1c6cb6402e7212c72360a8a2069661792151a9d22173a37c5b6d06b97690
                                                                                                                                                      • Instruction Fuzzy Hash: A0112C72B00325BBE7158A4DCC45F5B7AE9DB84B58F15802EFA04EB394D6B4DD0047A4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                                                      • Opcode ID: 97f58bb1158eb27688e4354b24a177157a484e8cf2609a4208ccaed6eec6333b
                                                                                                                                                      • Instruction ID: e0359c911c4b9d5aa0d6a1c88fb1263b9b7472141a0ac51bdd74cb5917e6ff5c
                                                                                                                                                      • Opcode Fuzzy Hash: 97f58bb1158eb27688e4354b24a177157a484e8cf2609a4208ccaed6eec6333b
                                                                                                                                                      • Instruction Fuzzy Hash: AB01D1B2250704EFD311DF14CE09B127BE8E780B19F05897AE698C75D0E734D900CB45
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                      • Opcode ID: 0ad4afd3f775aa306e358523739138252f1fce4c487f7851687ac64125a5884f
                                                                                                                                                      • Instruction ID: c661215d2c6c95c4e005976af7175b0f02aba25f846280c348b13bca0f14cf9b
                                                                                                                                                      • Opcode Fuzzy Hash: 0ad4afd3f775aa306e358523739138252f1fce4c487f7851687ac64125a5884f
                                                                                                                                                      • Instruction Fuzzy Hash: AB918472940216BFEB21DF99DD85FAE7BB8EF49714F150056F600AB291DB71AD00CBA0
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: GlobalTags
                                                                                                                                                      • API String ID: 0-1106856819
                                                                                                                                                      • Opcode ID: 80864776339702be193f4c0ba9685cb568df68770769d9c7b64453af01e1e8bf
                                                                                                                                                      • Instruction ID: a10124c91cb212dc4f513dcd6eb54b53fb2ff5523b317c3c50f091ec01d7cba4
                                                                                                                                                      • Opcode Fuzzy Hash: 80864776339702be193f4c0ba9685cb568df68770769d9c7b64453af01e1e8bf
                                                                                                                                                      • Instruction Fuzzy Hash: C4716B75E0022A9BDF24CF9CD5806AEBBF2BF58610F55812EE905A7365EB318981CB50
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: #%u
                                                                                                                                                      • API String ID: 0-232158463
                                                                                                                                                      • Opcode ID: 4b98d02a519f5e7bcdab5a2b022aa6c275604e4183185668dcc0ad3e25cbde4d
                                                                                                                                                      • Instruction ID: 8c6e63c781fdd18ba3289bad11fe40d6d222292d5b731cdaf97ee5ade7329fd3
                                                                                                                                                      • Opcode Fuzzy Hash: 4b98d02a519f5e7bcdab5a2b022aa6c275604e4183185668dcc0ad3e25cbde4d
                                                                                                                                                      • Instruction Fuzzy Hash: 7E715B71A0014ADFDB05DFA9C984BAEB7F8BF18708F14406AE905E7265EB34ED45CB60
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @
                                                                                                                                                      • API String ID: 0-2766056989
                                                                                                                                                      • Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                      • Instruction ID: 9b47d995048f098fd14417a9fcdfe302e2377cdb5bea6621a2f96a95d2b694e6
                                                                                                                                                      • Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                      • Instruction Fuzzy Hash: DE517F72904746AFE7219F58C840F6BB7E8FB98714F00092EFA45972A0D775ED09CB92
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: EXT-
                                                                                                                                                      • API String ID: 0-1948896318
                                                                                                                                                      • Opcode ID: 2d91c4ed7a6a20880882010464c90a6069364d68a705201b5b9d572f7e4ba87a
                                                                                                                                                      • Instruction ID: ba918946a2ff68f682958ee5d7b87132b335d88b6949c50ca0b69621df91895a
                                                                                                                                                      • Opcode Fuzzy Hash: 2d91c4ed7a6a20880882010464c90a6069364d68a705201b5b9d572f7e4ba87a
                                                                                                                                                      • Instruction Fuzzy Hash: 634184725143129BD710DB69C844B6BBBE8AF88B2CF44093DF584E7240EB74DD048796
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: @
                                                                                                                                                      • API String ID: 0-2766056989
                                                                                                                                                      • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                      • Instruction ID: e3493fd5504f5388c8215c867e4ad80e0eda871d81048c9610130d078ca2cb04
                                                                                                                                                      • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                      • Instruction Fuzzy Hash: B051AC71200711AFC320CF19C840A6BBBF8FF48B14F00892EFA95976A0E7B4E954CB91
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: BinaryHash
                                                                                                                                                      • API String ID: 0-2202222882
                                                                                                                                                      • Opcode ID: 00912fb58427693bb31efcde55cc279905dff3fd7f3bd65c103d5d5732f95ac3
                                                                                                                                                      • Instruction ID: 95547c84dca6669c8d0f58177ce1f3a60fb99d48ac9dcfa5698f5407a38c72c6
                                                                                                                                                      • Opcode Fuzzy Hash: 00912fb58427693bb31efcde55cc279905dff3fd7f3bd65c103d5d5732f95ac3
                                                                                                                                                      • Instruction Fuzzy Hash: 924122B1D0052DAADB21DA54CC84FDFB77CAB54718F4045EAEB08A7151DB709E888FA4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: verifier.dll
                                                                                                                                                      • API String ID: 0-3265496382
                                                                                                                                                      • Opcode ID: ede30467139226043e6ed99891f5ff8d1a967ef494fe4638ca264a65d59e7162
                                                                                                                                                      • Instruction ID: 5ec544dcbbc22739fc57bb1ff76f1ff32aef2565e5510f0a05840cc2a1249c8b
                                                                                                                                                      • Opcode Fuzzy Hash: ede30467139226043e6ed99891f5ff8d1a967ef494fe4638ca264a65d59e7162
                                                                                                                                                      • Instruction Fuzzy Hash: 243180727002029FEB258F1DD950B267BE5EB9C718F95803BE609DF3A1E6B18D818B50
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: #
                                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                                      • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                      • Instruction ID: 60e0a83f51359a55d55d03b8ce02021163d1b7d64fd826c68c41c7152d46f5d8
                                                                                                                                                      • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                      • Instruction Fuzzy Hash: B141AE71A0062ADBCF25DF88C484BBEBBF4EF40709F01405AE945A7690DB349942CBD1
                                                                                                                                                      Strings
                                                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 014385DE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                      • API String ID: 0-702105204
                                                                                                                                                      • Opcode ID: 86417ab0848a8df4db574a54d419fb4b64008f72ae29733bc604aec9f327f275
                                                                                                                                                      • Instruction ID: 630d693e3730e4eba17a75b3117e7263bffc1812e6d291e6cc6c0e2512759a85
                                                                                                                                                      • Opcode Fuzzy Hash: 86417ab0848a8df4db574a54d419fb4b64008f72ae29733bc604aec9f327f275
                                                                                                                                                      • Instruction Fuzzy Hash: 3C012B322002075BE7315B1AE984AABBF75EFD8658F45062FF6051B672CB306841DB94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6775fcf9a286722f88f92784e87cea46af72f641d088e2dbd0ea092413377492
                                                                                                                                                      • Instruction ID: 46e4926c6fc81fcd97ba4d61c22b43da64e2642d84022fb60788d03f6ec57193
                                                                                                                                                      • Opcode Fuzzy Hash: 6775fcf9a286722f88f92784e87cea46af72f641d088e2dbd0ea092413377492
                                                                                                                                                      • Instruction Fuzzy Hash: AD42C471A002168FDB16CF5EC4505AEB7B2FF88315B14856ED992AB3A1D734FC42CB91
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9944925412318bed876a1f2dffe09ff97e0015f6548e747772bf79f50ece1050
                                                                                                                                                      • Instruction ID: 775bd5e734aefcb4815b104d839b7bfd842f98258ef462b717eedf1c95b61b30
                                                                                                                                                      • Opcode Fuzzy Hash: 9944925412318bed876a1f2dffe09ff97e0015f6548e747772bf79f50ece1050
                                                                                                                                                      • Instruction Fuzzy Hash: 59329176E00219DBCF14DFA8E880BAEBBB5FF55708F1A006DE905AB394D7359901CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9db23b02657fde0984d1941db1c648f4eb0b97f49b752580082c74ba566d7bb5
                                                                                                                                                      • Instruction ID: bd6fe8d02f080600d8657baee518b0842b89039b952165f0c6df1b33a57f8ec8
                                                                                                                                                      • Opcode Fuzzy Hash: 9db23b02657fde0984d1941db1c648f4eb0b97f49b752580082c74ba566d7bb5
                                                                                                                                                      • Instruction Fuzzy Hash: 9932FF30A007598BDB24CF69C8547BFBBF2AF84704F15452EE44A9B7A9D7B4E842CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f2b4627ad8402b1c84065ddd84eae398c0c47c3b24faa3190f84046689ab40e5
                                                                                                                                                      • Instruction ID: c8e24130c149d165e061a3b4a132936de11cb1dc5fbf813202cf1cfca0e2b340
                                                                                                                                                      • Opcode Fuzzy Hash: f2b4627ad8402b1c84065ddd84eae398c0c47c3b24faa3190f84046689ab40e5
                                                                                                                                                      • Instruction Fuzzy Hash: 69229435A002168FDB19CF5DC490ABEB7B2BF88B04F18856ED955EB355DB30E942CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 14fd3d519529e144db8c0c8727ba82d95612154e739b3b1882f42242702b6ffd
                                                                                                                                                      • Instruction ID: d80ff219f6a0c16d66d20f0adfb910a30927010ed35e759994045a048b577873
                                                                                                                                                      • Opcode Fuzzy Hash: 14fd3d519529e144db8c0c8727ba82d95612154e739b3b1882f42242702b6ffd
                                                                                                                                                      • Instruction Fuzzy Hash: 83D1D171E0060A8BEF15CF98C851AFFB7F1AF88304F18816AD955A7251EB35E9068B60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 412eb66fe98ba9d095f40b0080d10c734b2e65213b9405c0d4ec9f6e4d5a12ad
                                                                                                                                                      • Instruction ID: 45448cb5c0cd0bed3fd38b487b5e3e654319363f4ba1e07d9a0c2f03de4a36c4
                                                                                                                                                      • Opcode Fuzzy Hash: 412eb66fe98ba9d095f40b0080d10c734b2e65213b9405c0d4ec9f6e4d5a12ad
                                                                                                                                                      • Instruction Fuzzy Hash: F6E17FB1608342CFC715CF28C0D1AAABBE5FF88318F05896DE69587752EB31E945CB91
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7d82b17e5755d6976eee1c7450bf65bb1c21161226cfec1233d04ab6ed894362
                                                                                                                                                      • Instruction ID: b998095ff41f41c8fd25934405888fa89a2be1d0d3c3aefc57bef219e59e9c9e
                                                                                                                                                      • Opcode Fuzzy Hash: 7d82b17e5755d6976eee1c7450bf65bb1c21161226cfec1233d04ab6ed894362
                                                                                                                                                      • Instruction Fuzzy Hash: A6D11475A0020A8BDB15DF2DC880ABB7BB5FF64709F95417EEA52DB290EB30D941C750
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b8565081737a23493316a27a8c6b42864cddfaa369e16c1f1971dc59c0cc3849
                                                                                                                                                      • Instruction ID: a2bc7d73bc25e20add64a5c1ec4bdcaee7ad570560479c62131dc05931b4dc8f
                                                                                                                                                      • Opcode Fuzzy Hash: b8565081737a23493316a27a8c6b42864cddfaa369e16c1f1971dc59c0cc3849
                                                                                                                                                      • Instruction Fuzzy Hash: ACC1C971E002169BDB24CF5DC4907EEBBB5BF44328F148169EA55E7794E730E941CB80
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7b3a6e4273f1103ebaacb74593c23c01377ed9ae42efcf77483be3edc49a1f3f
                                                                                                                                                      • Instruction ID: f6f74c17f789a5196307f6495e65e6c18ce61d5d7cd7f8eb13115c76476e96ed
                                                                                                                                                      • Opcode Fuzzy Hash: 7b3a6e4273f1103ebaacb74593c23c01377ed9ae42efcf77483be3edc49a1f3f
                                                                                                                                                      • Instruction Fuzzy Hash: 73D10371A00219DFDB51DF69C980B9A7BE9BF08308F4440BAEE09DB216D731E945CBA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 809704958179addcd86fe9c053689addc936026636272bde30614524e3eb7735
                                                                                                                                                      • Instruction ID: 790686136a69f2e27d7c7d8e5c4de28d9faed5845660fd0fd2ef48c3ce8d237b
                                                                                                                                                      • Opcode Fuzzy Hash: 809704958179addcd86fe9c053689addc936026636272bde30614524e3eb7735
                                                                                                                                                      • Instruction Fuzzy Hash: 32C13571A01125CBDB25CF1DC4907B9BBAAFB58F08F1A416EDA469B3A6D730CD41CB60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                      • Instruction ID: 84898793afd89ab2fed4564d73e4ff1db69651fd1ad41f7806e406d60d8e575e
                                                                                                                                                      • Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                      • Instruction Fuzzy Hash: 43B12335604646DFDB29CBA8C850BBFBBFAAF84718F18015AE6529B391D730ED41CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0335c7af14583ea0ebe6507b83a0135a6a7a756bd6743a6d71262439efc23977
                                                                                                                                                      • Instruction ID: 7ce78b36452e46a3e8b7323e21cc57ddb5cf94eb660bf9691bc774ac74e812b8
                                                                                                                                                      • Opcode Fuzzy Hash: 0335c7af14583ea0ebe6507b83a0135a6a7a756bd6743a6d71262439efc23977
                                                                                                                                                      • Instruction Fuzzy Hash: 6CC159741083418FD764CF19C494BABB7E8BF88708F44496EEA89977A1E774E904CF52
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1531cc5fa298b608e007a04aba67883b4df4b3ec379a657681ce9583b4cb4999
                                                                                                                                                      • Instruction ID: d13c1abfd9e5a18bf723142dec6a28c377c1b3f3a2b76f3abfcb3d7336a2ea36
                                                                                                                                                      • Opcode Fuzzy Hash: 1531cc5fa298b608e007a04aba67883b4df4b3ec379a657681ce9583b4cb4999
                                                                                                                                                      • Instruction Fuzzy Hash: EEB18270A002698BDB35DF59C890BA9B7F5EF44708F4485EAE54EA7291EB309D85CF20
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d3c18a7e6ba7e138158ad0f55898984dcc7b4e7e51d5cb01153ad44c17c6139d
                                                                                                                                                      • Instruction ID: 675d942badba46352e60d2e9f9bb8a8f45813bd340c555fe8e302a5f31d45721
                                                                                                                                                      • Opcode Fuzzy Hash: d3c18a7e6ba7e138158ad0f55898984dcc7b4e7e51d5cb01153ad44c17c6139d
                                                                                                                                                      • Instruction Fuzzy Hash: 50A11B32E00219DFEB21DBACD844BAE7FB5AB04768F050126EA11AF2A5D774DD09C7D1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 426d6f31db13d177b7cc769b6f3cf5aa2a9b8c9a01db40ea8c45bf47bc3cd535
                                                                                                                                                      • Instruction ID: 0eb5e85f8334541e3122b61e3bc45e363f44f422d666fd109f89501c253a690f
                                                                                                                                                      • Opcode Fuzzy Hash: 426d6f31db13d177b7cc769b6f3cf5aa2a9b8c9a01db40ea8c45bf47bc3cd535
                                                                                                                                                      • Instruction Fuzzy Hash: AEA1C374B00626DFDB29DF6DC980BABB7B6FF44318F44402EEA4597292DB74A841CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: eb5db978c4cb55497773c78f086bb9470a588e44a564a5155b139690fab0c46c
                                                                                                                                                      • Instruction ID: 0ed7ad9b4116b8e3a7add40ecf7516220f2b297c00fd480250406e81a95bc588
                                                                                                                                                      • Opcode Fuzzy Hash: eb5db978c4cb55497773c78f086bb9470a588e44a564a5155b139690fab0c46c
                                                                                                                                                      • Instruction Fuzzy Hash: 0DA1CC726046029FD721EF18C980B5EBBE9FB58708F49052EE5899B7A1D734EC51CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b184fceeaa4e167300e7c98760146e92ca4caa17379914852b3e556cfdf53bd1
                                                                                                                                                      • Instruction ID: f34fa585d6700229ac3e208f6cf8fd6c067b2e8326a5c2bc27fdf1481c75b9c4
                                                                                                                                                      • Opcode Fuzzy Hash: b184fceeaa4e167300e7c98760146e92ca4caa17379914852b3e556cfdf53bd1
                                                                                                                                                      • Instruction Fuzzy Hash: 28911432A00615CBD7249B6DC480B7EBFA5EF94B18F1A407EE905AB394DB34AD01C7A1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3dca01a1a0f344a88260a7c8965a545f619f2cb2da58e491564599644488df0d
                                                                                                                                                      • Instruction ID: 1b6a072f3ed91602202e8f572806e7d22dabf1034dc9b03d18b9ef6af9c2d299
                                                                                                                                                      • Opcode Fuzzy Hash: 3dca01a1a0f344a88260a7c8965a545f619f2cb2da58e491564599644488df0d
                                                                                                                                                      • Instruction Fuzzy Hash: 3FB103756093418FD365CF29C490A5BFBF1BB88304F18496EE999C7362D731E845CB82
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cd771fb006f9a1031ecaf3844d7d830de77298a704e2cbae7a1510ca555f6c67
                                                                                                                                                      • Instruction ID: 22a0c0706c9a58ce05672a11cb51765e61ade3759dd3b2b26d7bed69fd0ea959
                                                                                                                                                      • Opcode Fuzzy Hash: cd771fb006f9a1031ecaf3844d7d830de77298a704e2cbae7a1510ca555f6c67
                                                                                                                                                      • Instruction Fuzzy Hash: 6EB170B4900605CFDB25CF2CD4C47E97BB4BB0831CF29455AEB25ABAA6E774D842CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d21d71d7cdc66832fe859c78aba3667dc409cafc03563e00b4d35f6c6b73b8d2
                                                                                                                                                      • Instruction ID: 5e39a2685160f709c5efbb4f5ebe9fa1d0a3ef8c5994ed1b91c3361a75163e15
                                                                                                                                                      • Opcode Fuzzy Hash: d21d71d7cdc66832fe859c78aba3667dc409cafc03563e00b4d35f6c6b73b8d2
                                                                                                                                                      • Instruction Fuzzy Hash: 56A16B71608342CFC311CF29C480A6ABBE5FFD8708F15496EE6899B791E730E945CB92
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4d893670376ea84d9402ff8a19741de287522f2a08d74b6837c9a471bf678941
                                                                                                                                                      • Instruction ID: c70b87804c58241970e20bed6a9fa335a9b49a34de7510896313897faffcdf3e
                                                                                                                                                      • Opcode Fuzzy Hash: 4d893670376ea84d9402ff8a19741de287522f2a08d74b6837c9a471bf678941
                                                                                                                                                      • Instruction Fuzzy Hash: 85811271A00705ABDB21DFA9CD84EAFBBF8EF59714F10051AE615AB2A0DB70E914CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                                                                                      • Instruction ID: 8c1b865fe46d34803693ee2378b70d71c95e376a2d7a6e98ca205c5f458d41b3
                                                                                                                                                      • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                                                                                      • Instruction Fuzzy Hash: 79718B31B0061A9BDB20CF59C890ABFBBEDEF54648F55411BDD00EB261E334D9828792
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6f64045cfe8580e49df9cd9e6fcf263bf99dba3a93c1b5ee1c8a5b0c46a4633f
                                                                                                                                                      • Instruction ID: 02e1b9983f913add260866bc3c7ee6d1bd5282d0cf34b338946f78bd8d3f8b0e
                                                                                                                                                      • Opcode Fuzzy Hash: 6f64045cfe8580e49df9cd9e6fcf263bf99dba3a93c1b5ee1c8a5b0c46a4633f
                                                                                                                                                      • Instruction Fuzzy Hash: A9619470B10116DBEB259E6DC840BFF7BAAAF84768F15411BE911973B4DB30D941C7A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 186673d25b0f36716313bb292e4a9a070b6c519ac9aaf8371126168ad428ec10
                                                                                                                                                      • Instruction ID: ae55b10a6fde3664fce4797a2b3825629881f29ad3c7c4898e43fec259075c89
                                                                                                                                                      • Opcode Fuzzy Hash: 186673d25b0f36716313bb292e4a9a070b6c519ac9aaf8371126168ad428ec10
                                                                                                                                                      • Instruction Fuzzy Hash: 0971E0B1D0562ADBCB21CF59C9907BEBBB4FF48B14F19415EE846AB364D7309811CBA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e24d38adc26f6f86bd9651c96d2da98e92b46edc2f3fac9f0ebaf01fddf7b9db
                                                                                                                                                      • Instruction ID: fcbe8a0c9cef3db67c4a601e71a764f35e4068a50a81008dad7a8efd4e0a561d
                                                                                                                                                      • Opcode Fuzzy Hash: e24d38adc26f6f86bd9651c96d2da98e92b46edc2f3fac9f0ebaf01fddf7b9db
                                                                                                                                                      • Instruction Fuzzy Hash: 0771CD316046418FC311DF2CC490B2BB7E9FF94B18F0585AAE85A8B752DB74DC45CBA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                                                                                                                      • Instruction ID: ede42988e882165c5b630862281bc82e082ea7bfff999bec4fea478c6fa83d55
                                                                                                                                                      • Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                                                                                                                      • Instruction Fuzzy Hash: 21511C72A003239BDB11AFE8CC40ABB7BE5EF95654F44042AFA41D7361E734D896C7A1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9e1e41647bb62e9478c5460123e14c35f83d349ac91a3df13cfd1a3572b846f2
                                                                                                                                                      • Instruction ID: 5e762b8f5790890bfa342e4f3835daa4bdbcf9821030adc06fdd937bf25aa96a
                                                                                                                                                      • Opcode Fuzzy Hash: 9e1e41647bb62e9478c5460123e14c35f83d349ac91a3df13cfd1a3572b846f2
                                                                                                                                                      • Instruction Fuzzy Hash: C341F671200701AFDB269F2DD880B6BBBA9FF54718F55842AEA559B2E1D770DC01CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 607116695472adffa7daaec0845c4b2ea3984d5e164bdf75d89e2b6cc884553d
                                                                                                                                                      • Instruction ID: 32104712e8e76f5535ef3233f1c13fb03e91a4dad7730aad3c9e3f149c8f8d67
                                                                                                                                                      • Opcode Fuzzy Hash: 607116695472adffa7daaec0845c4b2ea3984d5e164bdf75d89e2b6cc884553d
                                                                                                                                                      • Instruction Fuzzy Hash: 9E51D5B12003129BD720EF69DD80F6B7BA8EF64729F55062EFA11872E1D734D840CBA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: d62aab761c336bfe16e67e051f063d4679ffbd026c518465a50ded78da82d254
                                                                                                                                                      • Instruction ID: 2c6da3f08012cb49934d9c959c3e7cd40dd460b30f76b4519cec5b0408e1dd8e
                                                                                                                                                      • Opcode Fuzzy Hash: d62aab761c336bfe16e67e051f063d4679ffbd026c518465a50ded78da82d254
                                                                                                                                                      • Instruction Fuzzy Hash: 6251AF72944209EBEF21DFA8DC40BEEBBB9FF04348F60012AE690A7151DB719904CB10
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3b08e715515b852c6babc93e396aa0e837d08ad4ad52a30ba83b726fa91b42c3
                                                                                                                                                      • Instruction ID: bb96d558e2ecc937c8535eeb4a60219834eaab3bd15b81aae78104c7b7df8e72
                                                                                                                                                      • Opcode Fuzzy Hash: 3b08e715515b852c6babc93e396aa0e837d08ad4ad52a30ba83b726fa91b42c3
                                                                                                                                                      • Instruction Fuzzy Hash: F551F334A0060AEFDB15DB68C8847BEB7B5FF94719F14416AD60297AE0EB749901CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8f4fd3055746ab4c515162f025be7eba4754bf364ea23a088486080cd9973bfb
                                                                                                                                                      • Instruction ID: d90bc12ae159af3d8c376674ad09913f967bee9d49c0b10b694d0345cd6f1259
                                                                                                                                                      • Opcode Fuzzy Hash: 8f4fd3055746ab4c515162f025be7eba4754bf364ea23a088486080cd9973bfb
                                                                                                                                                      • Instruction Fuzzy Hash: 6B517A71200A16DFCB22EF68C994EAAB3F9FF14748F41442AE612936A0D734ED40CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                      • Instruction ID: aaea4a1afb271ba45d453a15143bed33118653bcadeaa0c22e94648c2f100fda
                                                                                                                                                      • Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                      • Instruction Fuzzy Hash: 52518372E0020AEBDF15DF98D450BEEBBB9EF44718F04806AE901AB740DB74D945CBA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d91f260212b8a099875c6a8d26ea0fd16f1832a49712daab5f7093dd91ffac84
                                                                                                                                                      • Instruction ID: e380729835144b207932d066ad1cc726363875d1f800a46043703802ba7fdf5e
                                                                                                                                                      • Opcode Fuzzy Hash: d91f260212b8a099875c6a8d26ea0fd16f1832a49712daab5f7093dd91ffac84
                                                                                                                                                      • Instruction Fuzzy Hash: AC517371A0221A9FEF22DFACC8807EE77B4BF58358F150419F601FB661E77499408B51
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                      • Instruction ID: 2cd25de16b192ae92aafcb70c6c3296b7473b4ab0acab20c8b1e15479a7a191f
                                                                                                                                                      • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                      • Instruction Fuzzy Hash: EF519C71200606EFDB16DF58C580A5AFBF5FF45B08F15C1AAE9089F262E371E946CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 75dad5f2a1255be126733a96accb1bf7e4eb853fd8a62d1e2753829081ca267d
                                                                                                                                                      • Instruction ID: 477ce2d5c22c102b850eea12270e829bddeec6b7fcb0c9d56b57b11b1f9f7c1c
                                                                                                                                                      • Opcode Fuzzy Hash: 75dad5f2a1255be126733a96accb1bf7e4eb853fd8a62d1e2753829081ca267d
                                                                                                                                                      • Instruction Fuzzy Hash: E1412B726403265BCF25EF6CD885BAB7BA5EB9470CF42443DED02AB3A1D77198408B90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ea912c047c300534fdb23e209943c85539efe7023534cdbc9b045f7b9b6e142c
                                                                                                                                                      • Instruction ID: 87463bea692b5c722c8ca9fb96d7a3b06c91f126bfa0f36907a39ad92fb6a804
                                                                                                                                                      • Opcode Fuzzy Hash: ea912c047c300534fdb23e209943c85539efe7023534cdbc9b045f7b9b6e142c
                                                                                                                                                      • Instruction Fuzzy Hash: 3241CA35A013299BCB18DF98C444AEEBBF4BF48708F14816AF815E7290D7B59C41CBA4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6f3bcbb6e42b2b275f2668f22afed065e1040ec476631ba15f98926aff86208f
                                                                                                                                                      • Instruction ID: ac1e28069c4dc6e16e68c4e3409ca841ce1cfe0594aa282c5a7c863ed4de6863
                                                                                                                                                      • Opcode Fuzzy Hash: 6f3bcbb6e42b2b275f2668f22afed065e1040ec476631ba15f98926aff86208f
                                                                                                                                                      • Instruction Fuzzy Hash: 1051E171704641CFD722CF5CC480BAA77E5FB44B68F49046AEA058BBA5EB38DC41CB61
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8374cdca78a43a5ce166517abcf8112bbd6a07e4a546bfb39f5bc99ecc16ac49
                                                                                                                                                      • Instruction ID: c75d27241a84173025572cd2d6aa65f928b752fbf45026dd917388f2bbcbc5b0
                                                                                                                                                      • Opcode Fuzzy Hash: 8374cdca78a43a5ce166517abcf8112bbd6a07e4a546bfb39f5bc99ecc16ac49
                                                                                                                                                      • Instruction Fuzzy Hash: 2C51E7B1A00116DBDB25DF28CC45BE9BBB4FF11318F1582AAE219976D2E77499C1CF40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 89112b69324a3a61eb518006a40f9e1e4d5ca9d7de80ed428888bd5d69958bd5
                                                                                                                                                      • Instruction ID: ed32d292f20379401d889717cc520a5db250f3f127e210659799a0632f5b6b2a
                                                                                                                                                      • Opcode Fuzzy Hash: 89112b69324a3a61eb518006a40f9e1e4d5ca9d7de80ed428888bd5d69958bd5
                                                                                                                                                      • Instruction Fuzzy Hash: 1641D071640706EFDB22AF69D880B6BBBF8EF10758F40447AE501CB6A1D774E940CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                      • Instruction ID: a4436fb062fafe4b4c64b481d70b8117bd4f595415143ad88c647b319369eeef
                                                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                      • Instruction Fuzzy Hash: A541B571B00106ABDF15DF99C988AEFBBBAEF98610F15806EE905A7361D670DE01C750
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0d022aa13df62e969c8da303139d6c4e9bc69925290e22680ce1c82f28e95720
                                                                                                                                                      • Instruction ID: 3599350bf48959b8cd452e3a8b5e6d9dff0e1c1e93e1fb84e192a5e14b4bccdf
                                                                                                                                                      • Opcode Fuzzy Hash: 0d022aa13df62e969c8da303139d6c4e9bc69925290e22680ce1c82f28e95720
                                                                                                                                                      • Instruction Fuzzy Hash: DD418072944205CFDB21DF6CE6A87AE7BB8FF14318F19015AE411BB3A5DB749900CBA4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7028de66f9303dd88c023c2691738e1e6a6e4fc11c092cf3adb4c39f1f9ae0ce
                                                                                                                                                      • Instruction ID: bef25b06bac9a91f839db3c0f663d56ffba479aad798ce8fb2bcfc1f44cd74af
                                                                                                                                                      • Opcode Fuzzy Hash: 7028de66f9303dd88c023c2691738e1e6a6e4fc11c092cf3adb4c39f1f9ae0ce
                                                                                                                                                      • Instruction Fuzzy Hash: 5F4129B4D00248DEDB24CFA9D480AAEFFF8FB58704F95816EE559A7291D7709904CF60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 88e9b07f6c50ed55ef85f0adbac7185b627e6913f87ec4f2a627ee1ada96c4ef
                                                                                                                                                      • Instruction ID: abadab54957512fe15d51a8aeab7a8ae45fca68a7cdae4740504107ba3a3e2a7
                                                                                                                                                      • Opcode Fuzzy Hash: 88e9b07f6c50ed55ef85f0adbac7185b627e6913f87ec4f2a627ee1ada96c4ef
                                                                                                                                                      • Instruction Fuzzy Hash: 3341C4B1501705CFC722DF29C990B9AB7F5FF54328F5582AEC6068BAA1EB30B941CB41
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 87628274ec46300a7697ee777c9115313c5edfd8d6433f385a5c4f0b6e70be13
                                                                                                                                                      • Instruction ID: c92b86838491ba141f4885032f000ec7ac545746d700452d81e7c81278e60bf0
                                                                                                                                                      • Opcode Fuzzy Hash: 87628274ec46300a7697ee777c9115313c5edfd8d6433f385a5c4f0b6e70be13
                                                                                                                                                      • Instruction Fuzzy Hash: 39417171504311AFD720DF29C844B9BBBE8FF98764F004A2EF998D72A1D7709905CB92
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a88b9803b6ac4a16129d77dfa8f236090a30047049b64f14482ee99ac241e680
                                                                                                                                                      • Instruction ID: 6b363359e415362ef47fab9d4d11c4587529263991d44e7f78e87e0a81589c79
                                                                                                                                                      • Opcode Fuzzy Hash: a88b9803b6ac4a16129d77dfa8f236090a30047049b64f14482ee99ac241e680
                                                                                                                                                      • Instruction Fuzzy Hash: 24419D726046429FD320DF6CD840A6BB7A9BFC8700F044A2EF959877A0E730E905C7A6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5ea5495b17dac2630a1319a7d92b8a8e79cf082b2fd92ae736b3a42c4edca791
                                                                                                                                                      • Instruction ID: 8176a9d0115b46232e0b9efc23f579c1435589773d42dbfc3180f1e58567f158
                                                                                                                                                      • Opcode Fuzzy Hash: 5ea5495b17dac2630a1319a7d92b8a8e79cf082b2fd92ae736b3a42c4edca791
                                                                                                                                                      • Instruction Fuzzy Hash: 3D41C0306003418BD725CF2CD8D4B6ABFE9AB80718F05442DE646CB6A2EB32D841CB95
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                      • Instruction ID: e80c356c4712de56807a3ac6237cfbe59e0b06c7f0eec7e1b98c9332e8a09694
                                                                                                                                                      • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                      • Instruction Fuzzy Hash: 9C314836600289EFDB118BACCC84BDABBB9EF10754F08417AF855D7752D7749844CB64
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: d359210e0b2ca848bc6f8454fabd9e6c28058706baaa92046eb08178d8e20e3f
                                                                                                                                                      • Instruction ID: b5a5aa2e6fbbb99232e775e034296f78cb0158b460c1591c67505eed74c361ef
                                                                                                                                                      • Opcode Fuzzy Hash: d359210e0b2ca848bc6f8454fabd9e6c28058706baaa92046eb08178d8e20e3f
                                                                                                                                                      • Instruction Fuzzy Hash: 133155B2A0062DAFDB318B58DC40F9ABBB9EF85718F1101D9E94CA7250DB319D45CF51
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0ceacd489c5d8f6e50be208fe83ec8fbf5984932aa4dbe833bdbc273d6372198
                                                                                                                                                      • Instruction ID: 3ad9e8a1f6250369551debf6a8f77cebdaa0f7e27768d121479bdd63c7b04f15
                                                                                                                                                      • Opcode Fuzzy Hash: 0ceacd489c5d8f6e50be208fe83ec8fbf5984932aa4dbe833bdbc273d6372198
                                                                                                                                                      • Instruction Fuzzy Hash: 3941DF71200745DFD722CF28D980FD67BE8AF54718F01842AEA9A8B761D774E844CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                                                                                      • Instruction ID: c3aa25a5f0acea2316504804c0d9d301dc25981ab027c77cb4312d29b43c07d8
                                                                                                                                                      • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                                                                                      • Instruction Fuzzy Hash: 073127332082059FE721EA2DE410B67BBF9EB85398F04852AF9C58B395D375C841C7D2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 17264787e3001963a7cd012eac9fd57cb38429d2bbb17d030a43cd65324fe519
                                                                                                                                                      • Instruction ID: 49c954b1879aa8693482abe40879f5855be203dccd7ad55964357e389f1b2ca4
                                                                                                                                                      • Opcode Fuzzy Hash: 17264787e3001963a7cd012eac9fd57cb38429d2bbb17d030a43cd65324fe519
                                                                                                                                                      • Instruction Fuzzy Hash: 613127725002089FC721DF18C880E66BBA9FF45768F95426DED45AF2A6CB31ED42CBD0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8169e615655830b75bd232c8ac428565ccee799ac069818989ef55716c778fc1
                                                                                                                                                      • Instruction ID: 01a2a38a32f1b54815c76fa883de40d7aa5c0476c320fef16846b9b4d81d6de6
                                                                                                                                                      • Opcode Fuzzy Hash: 8169e615655830b75bd232c8ac428565ccee799ac069818989ef55716c778fc1
                                                                                                                                                      • Instruction Fuzzy Hash: B13180716053118FE320DF19C840B67FBE9FB88B14F0549AEEA88977A1E774D944CB91
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                      • Instruction ID: 91e13c75f5728d3cd6a8dd5e6cf480fdaafa3a2773d14b6a05afbc33e6ad1ff8
                                                                                                                                                      • Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                      • Instruction Fuzzy Hash: AC314D72B00711AFD725CF6DC948B57BBE8BB49A58F04092DA99AC3790E630E8008F50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 785d3e63235e59f2a2730596c4c4705b58d929acbd9fb0811512f28a1617aa8f
                                                                                                                                                      • Instruction ID: 514d3e136825e9bce8495193df2f850830d2b2aee24e9915c6127d5699526aa9
                                                                                                                                                      • Opcode Fuzzy Hash: 785d3e63235e59f2a2730596c4c4705b58d929acbd9fb0811512f28a1617aa8f
                                                                                                                                                      • Instruction Fuzzy Hash: 8F318B715043028FCB11DF19C44495AFFE1FF99618F4A85AEE888AB322D730DE45CB92
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                      • Instruction ID: 5c4085b75bcad23d3f4bc053407c41f71bc7c7921f4dde67de3fb52343e6682c
                                                                                                                                                      • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                      • Instruction Fuzzy Hash: 06318EB160824A8FCB01DF1CD880A9A7BE9FF99718F15056AFE55DB361D630DC14CBA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c4b3d5cad5e582a368df0e2ab3459f29f2c893f00b58831a90344cdc8640aca4
                                                                                                                                                      • Instruction ID: 9f8ac870e71810c00a894205b0743f8a1aa398d751b037e53644acfbb1f50f8f
                                                                                                                                                      • Opcode Fuzzy Hash: c4b3d5cad5e582a368df0e2ab3459f29f2c893f00b58831a90344cdc8640aca4
                                                                                                                                                      • Instruction Fuzzy Hash: D131B172B006059FDB20EFACD981A6EBBFAFB5430CF018429D546D7A64DB30E941CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2502dbb1477ec077a5568323f432a2eb17373de5914fac8dad6a2c8a2fba1b51
                                                                                                                                                      • Instruction ID: 934a91724c4ef92a4e44b090b21a51107057ae4b70a363cf26e4aebafbed2654
                                                                                                                                                      • Opcode Fuzzy Hash: 2502dbb1477ec077a5568323f432a2eb17373de5914fac8dad6a2c8a2fba1b51
                                                                                                                                                      • Instruction Fuzzy Hash: C33129719002018BD722AF9DCC41BAA7774EF50318F89C1BED9499B396DA34E989CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 73c6319d3bd25f1764353cc08b0dea186fdb374233f0a9837b66fa037c4d8196
                                                                                                                                                      • Instruction ID: 3d5ae47e4bfd33729ba79a4332f28f14b76e584652539978d29f1b9045d2bdf0
                                                                                                                                                      • Opcode Fuzzy Hash: 73c6319d3bd25f1764353cc08b0dea186fdb374233f0a9837b66fa037c4d8196
                                                                                                                                                      • Instruction Fuzzy Hash: 7931B131A0052DABDB31DB18CC81FEEB7BDEB15B48F4101B5E645B7290D6749E818FA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ffec3f55d61e79a37e2f7482efad3dca42e5b27caf0876a880034c0a83e0d421
                                                                                                                                                      • Instruction ID: f1a43bd839ea9ee69498932b808f4325da5ac030375dd2c41a7c6584f24a6d2e
                                                                                                                                                      • Opcode Fuzzy Hash: ffec3f55d61e79a37e2f7482efad3dca42e5b27caf0876a880034c0a83e0d421
                                                                                                                                                      • Instruction Fuzzy Hash: 7F21C3726087569BC721CF58C884F5B77E8FF8C718F014519FD44AB281D730E9019BA2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                      • Instruction ID: 2a6b0c85b54f310be9adf7e852a6cfe2c6bffb63b145fd4615f7b1ce70ef13dc
                                                                                                                                                      • Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                      • Instruction Fuzzy Hash: 0F214F75A00715EBCB11CF58C988A9ABBE5FF48328F118469ED05DB681D670EE058B90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                                                                                      • Instruction ID: d50bd73e366fd41d9f85ade57e0440375d088342478899064e14df12c79ec3d5
                                                                                                                                                      • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                                                                                      • Instruction Fuzzy Hash: 4F319A31600648EFDB26CBA8C884F6AB7F8EF45358F1444B9E512DB690E770EE01CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 200b59114d6e4048068a6247b25ad265fbb21bbef1328275204a91628787bec9
                                                                                                                                                      • Instruction ID: a1d6615078a3e99ab2b0c1578b1927bb47ab196cdde9955018c2e578586ad9b6
                                                                                                                                                      • Opcode Fuzzy Hash: 200b59114d6e4048068a6247b25ad265fbb21bbef1328275204a91628787bec9
                                                                                                                                                      • Instruction Fuzzy Hash: 4A31A275600215EFCB14CF1CC4849AEBBF5FF84704B56445AE80AAB361D771E991CB94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 75ef8b687bd37984a275196af6543024ca616f620d29d18f612e5a38a82b13e3
                                                                                                                                                      • Instruction ID: 6eb5c6654245e7005a537c32ccec1e03201f972568b0b6c3c61b8bdcb3bc60ab
                                                                                                                                                      • Opcode Fuzzy Hash: 75ef8b687bd37984a275196af6543024ca616f620d29d18f612e5a38a82b13e3
                                                                                                                                                      • Instruction Fuzzy Hash: 7921E1715003129BC620EB6CD904F4BBBE8AB64A1CF46081AF604976E0EB34DD048BA1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e036abb37ab54ea94f080d39b4c1c2d762cef78f52983b52a7c4f3291dc8c2c3
                                                                                                                                                      • Instruction ID: fd72b8fab274b97c217ae28d49b7e6d2af35588944e957808c57721a0bbce651
                                                                                                                                                      • Opcode Fuzzy Hash: e036abb37ab54ea94f080d39b4c1c2d762cef78f52983b52a7c4f3291dc8c2c3
                                                                                                                                                      • Instruction Fuzzy Hash: C621F7316056259FD7329F09C9C4B96BBA4FF80F18F56001EE94107A91EA70EC44CB91
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4a7d37f9d9ff0ab0788dd16cb9791510bc4df7e279c08cacece4abbd6dcbaff1
                                                                                                                                                      • Instruction ID: e5295604f3619be0751a643fd58e045881f4d360e1515a97054c4fc53e0b70d3
                                                                                                                                                      • Opcode Fuzzy Hash: 4a7d37f9d9ff0ab0788dd16cb9791510bc4df7e279c08cacece4abbd6dcbaff1
                                                                                                                                                      • Instruction Fuzzy Hash: 6D21A0719002299BCF20DF59C881ABFB7F4FF48704B41016AF941AB250D778AD52CBA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                                                                                      • Instruction ID: 1c66577aabd162051371cb5b880893d06cb8c66c411a9478b4f2e9fa082fde9a
                                                                                                                                                      • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                                                                                      • Instruction Fuzzy Hash: 7421CF7A2012059FC729DF59D480B66BBE9FF95369F11416DE0078B2A0EBB0EC01CB94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f9679b0e322f5f4a184179f29ac43cf3331fd7bbe5fca03c8960eb98c62159c7
                                                                                                                                                      • Instruction ID: febdfeb5c0df1f936d2a685b78dbc8290e7463769e2dd0716590a91a29b6ad04
                                                                                                                                                      • Opcode Fuzzy Hash: f9679b0e322f5f4a184179f29ac43cf3331fd7bbe5fca03c8960eb98c62159c7
                                                                                                                                                      • Instruction Fuzzy Hash: EF21F331201725CBCB366B29C808B6737E9AF1023CF55861EE4564BAF1E731E882CB81
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5b3f602ad5d5cbab2272b04a71214d0a5c0fc3be7d948934eff5197b5adfeb09
                                                                                                                                                      • Instruction ID: d09d42a40e7129698135dad0b518b49d23596282b64bcda7148bc9d573a7d461
                                                                                                                                                      • Opcode Fuzzy Hash: 5b3f602ad5d5cbab2272b04a71214d0a5c0fc3be7d948934eff5197b5adfeb09
                                                                                                                                                      • Instruction Fuzzy Hash: AC213B32645AC19BE732572D9C44F263B99BB45B38F2907A5EA319B7E3D77888008210
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 26ecf01169c3f6202b7aac97aa86018f090bad9f24c36a8358b999cbbc68b96f
                                                                                                                                                      • Instruction ID: fdc4971ceed6b0662b2cb93efdb28cf2a708e1206bcc56cb0213311060cbf0a6
                                                                                                                                                      • Opcode Fuzzy Hash: 26ecf01169c3f6202b7aac97aa86018f090bad9f24c36a8358b999cbbc68b96f
                                                                                                                                                      • Instruction Fuzzy Hash: 87219A752007219BC725DF29C800B56B7E4BF08B08F25846DE509CBB62E331E842CB94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5a6fae2d64ba0780fcf91196b0e7708272786fc21ce6ddae78c1d199e9c14c2a
                                                                                                                                                      • Instruction ID: 90030e3ad6852b03b6da13469a17111943b8acd629633abd4eed295caf39c6be
                                                                                                                                                      • Opcode Fuzzy Hash: 5a6fae2d64ba0780fcf91196b0e7708272786fc21ce6ddae78c1d199e9c14c2a
                                                                                                                                                      • Instruction Fuzzy Hash: E321E9B1E002099BCB14DFAAD981AAEFBF8FF98700F10012FE519A7254D7709945CF54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                      • Instruction ID: 3cf69af3170ba8f8d02f0dc2342523d4066164a564270f78c20b76e8a0466b38
                                                                                                                                                      • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                      • Instruction Fuzzy Hash: EF2138322021D5CBE7228B9DC944BA677E9FF44B44F1940A2DD018B7A6E778CC40C710
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 3e0fb22e3aee87c97052fa03336f2d331b3d8bf8dce45990bc6a7d9c006b4cda
                                                                                                                                                      • Instruction ID: ca89c2ef8c997318f9b0729690aae3c20a2d9a697d30c2fbd5116d839797f82d
                                                                                                                                                      • Opcode Fuzzy Hash: 3e0fb22e3aee87c97052fa03336f2d331b3d8bf8dce45990bc6a7d9c006b4cda
                                                                                                                                                      • Instruction Fuzzy Hash: D3215772141A41DFC726EF6CCA40F5ABBB5FF28B08F19452DE10A876A1CB75E801CB44
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                                                                                      • Instruction ID: 3cfb260bba081b2041c33a4b2ba8a02ae385c9a446ca5504cfcc532167502d52
                                                                                                                                                      • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                                                                                      • Instruction Fuzzy Hash: A011B272600715BFDB269F58D849F9EBBECEB84768F10402AF700AB180D6B1ED45CB60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
                                                                                                                                                      • Instruction ID: cd9ae18b3a60781121486fcdbcb38bc3d04a33072afdc294c6514733f67fa80e
                                                                                                                                                      • Opcode Fuzzy Hash: 592fb6933ec0ec0de1c6595d464d8ba42db88469a328848a514ab681e996ea9b
                                                                                                                                                      • Instruction Fuzzy Hash: 94215E75A00209EFCB14CF58C580AAEBBB9FB48718F2441ADD605A7750DB71AD06CBD0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2ba43f4a8433a391f6003d52dae91602e55c767123f418e2cb507ca34358982d
                                                                                                                                                      • Instruction ID: 43e425a73cc9f063f7065bee128398c95ab405846666e0ad6fce8dc1bedad83f
                                                                                                                                                      • Opcode Fuzzy Hash: 2ba43f4a8433a391f6003d52dae91602e55c767123f418e2cb507ca34358982d
                                                                                                                                                      • Instruction Fuzzy Hash: 4211043F411540AAD3359F65EA41A727FE8FBA8B84F960039E5009B3B8E734DD01C764
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 22cf45a1ba22b9ad877ec47dc41283d14ff0e44748ce85e21617ea1e7aa0f9a7
                                                                                                                                                      • Instruction ID: 407ab0c5d7a812da239d60f7f3b96c8ebfe6198dd9ee88aaf1c82ff2d8009384
                                                                                                                                                      • Opcode Fuzzy Hash: 22cf45a1ba22b9ad877ec47dc41283d14ff0e44748ce85e21617ea1e7aa0f9a7
                                                                                                                                                      • Instruction Fuzzy Hash: 92110632380600AFEB22DFADDD40F4A77A9EF56B64F02403AF604DB261DA70E905C794
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7698ca5c1aa0c5f6f5fe6fdd9b1b57b99d76bd28afa54dc27922a8b07bf089c3
                                                                                                                                                      • Instruction ID: d813f2950ee6ec0520a42a9dee2543761b29ccc3081554e6fc8a05a47d46a0a7
                                                                                                                                                      • Opcode Fuzzy Hash: 7698ca5c1aa0c5f6f5fe6fdd9b1b57b99d76bd28afa54dc27922a8b07bf089c3
                                                                                                                                                      • Instruction Fuzzy Hash: 01110672B04116EBDB159F5CC984A6EBBB9EBCC368F11016EE406E3360DBB09D40CB94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b4074e6f7132850e1710a701e97d74aaf56bc77b14ac13bf2f71f2daa6d01fb5
                                                                                                                                                      • Instruction ID: 81e937d2c02f6f3979b7d3cba1dce341e2fea83dad78105ee182401098d05022
                                                                                                                                                      • Opcode Fuzzy Hash: b4074e6f7132850e1710a701e97d74aaf56bc77b14ac13bf2f71f2daa6d01fb5
                                                                                                                                                      • Instruction Fuzzy Hash: 91215171E00609DFDB58CF98C490BEDB7B0FB48326F54826AD92967392C7756842CF90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 66f668c8d31a6de2ac164176a0ae669354fbe05b0de217387ea166c3506df05f
                                                                                                                                                      • Instruction ID: 75e5bd092d2a1c271e0cdf478a31d353c3d4ca5687355500842757979ff2ef1d
                                                                                                                                                      • Opcode Fuzzy Hash: 66f668c8d31a6de2ac164176a0ae669354fbe05b0de217387ea166c3506df05f
                                                                                                                                                      • Instruction Fuzzy Hash: 6611BFB2A10325DBCB21CF59C585A5ABFE8ABA4624F06807DD9099B391E630DD00CF94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                      • Instruction ID: 51c46bfcffd9a255a0072a9a0d4d4bee6314274bed98845e6cb9f117c63be622
                                                                                                                                                      • Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                      • Instruction Fuzzy Hash: 38110432A00519EFDB19CF59C805B9DBBB5EF84210F19826AEC4697350E631AE41CB80
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ff7c820df144d0a60d55f2e1ba55ebf8fa41116db2902d65f0bbc73a2d8a00d5
                                                                                                                                                      • Instruction ID: dca21ab4c4a4c8f4c66d81074a5668bc8d80eb7807837803400a95d0f86a53ee
                                                                                                                                                      • Opcode Fuzzy Hash: ff7c820df144d0a60d55f2e1ba55ebf8fa41116db2902d65f0bbc73a2d8a00d5
                                                                                                                                                      • Instruction Fuzzy Hash: CB0166333052849BE325926ED888F6B7BCDEF80698F1A4066FA018B661DA20CC018221
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                                                                                      • Instruction ID: 476d39f4ba198d525eab92dd98a30d9932302d8378ee7d679051cfd09b1d0c9e
                                                                                                                                                      • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                                                                                      • Instruction Fuzzy Hash: BB016571B0010ABBDB14DBDAC945DAF7BBCDF94668B00005AA945D3250EA30EE11C771
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: fbc1ed0e5cd4ca7ed72fcae14429e27db20929f51abadddd952cc08d8291b996
                                                                                                                                                      • Instruction ID: a5837068fd75d6b540e17d700f4da47ee4a05384780e8c00a19fe29a3aba7e6e
                                                                                                                                                      • Opcode Fuzzy Hash: fbc1ed0e5cd4ca7ed72fcae14429e27db20929f51abadddd952cc08d8291b996
                                                                                                                                                      • Instruction Fuzzy Hash: 8D11E3B2600344EFD721DF5DD884B967BA8EB54B78F004119FA068BA52E374ED01CB58
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 87fade167e824b160c7ab02e97bf88fc2a40bc68a649b5886fcb2998bf651ce2
                                                                                                                                                      • Instruction ID: b0b768c03aadf0e5a2340cbd0ecc5cdbf1b26fd7c802377f553b6724148a323a
                                                                                                                                                      • Opcode Fuzzy Hash: 87fade167e824b160c7ab02e97bf88fc2a40bc68a649b5886fcb2998bf651ce2
                                                                                                                                                      • Instruction Fuzzy Hash: 0811C2B2A01725EBDB21DB5CC981B5EFBF8EF58704F510459DA0167284D730EE008B90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0f585469689cded0dd925869c4814639aa1f890d58fc881d099bea5747e28ede
                                                                                                                                                      • Instruction ID: f62002d83e37827b559f8d83a5b06e15bfebf8a705390f2d15b8311d1475a109
                                                                                                                                                      • Opcode Fuzzy Hash: 0f585469689cded0dd925869c4814639aa1f890d58fc881d099bea5747e28ede
                                                                                                                                                      • Instruction Fuzzy Hash: A4118272600705AFE721CF5DC886B9B7BE8FF46358F464429EA85CB251D736EC008BA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                      • Instruction ID: 6a48202e7975db086c0cef415c71934daee2634cc32e6998e2764649c3e95181
                                                                                                                                                      • Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                      • Instruction Fuzzy Hash: 9811E132605A918BE723971DD954B2A7FE8BB41B6CF0940B5DD019BBA2D738D80AC760
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 60181b0f19c5c2b203a1a96a5c9435c12898f260dd661e36074e524f8be68acf
                                                                                                                                                      • Instruction ID: 57b513f97692a1990ff24fa1492e51c6cbc8248cdf6e83fc1e65bad38eebc448
                                                                                                                                                      • Opcode Fuzzy Hash: 60181b0f19c5c2b203a1a96a5c9435c12898f260dd661e36074e524f8be68acf
                                                                                                                                                      • Instruction Fuzzy Hash: 2311C276A007489BCB20DF6DD884BAEB7E8BF54A14F14407AE901AB756DA34D906C750
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                                                                                      • Instruction ID: 3d7653ad78b796532d81684ecb633f5b515fc845f89d795076b24ed63acf1d07
                                                                                                                                                      • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                                                                                      • Instruction Fuzzy Hash: 8C012232505B26ABCF318F19D840A227BF8EF56B79740852DFC958B690C731D920CBA0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0e544820584fad329f565100edf9c6a5bf790755d24972c3afef65461c99a6d7
                                                                                                                                                      • Instruction ID: 187c00f7ae9f560fc1964edef1109cb9fddf11fdb5198591fa99944136d4da20
                                                                                                                                                      • Opcode Fuzzy Hash: 0e544820584fad329f565100edf9c6a5bf790755d24972c3afef65461c99a6d7
                                                                                                                                                      • Instruction Fuzzy Hash: DB11A070601218ABEF35EB28CC42FE97674BF04718F1041D8A319A60E1DB309E95CF84
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3564fa2db7371609cdd66fa5136c7d3143343b5dcd112feb5b770c8709a51a3c
                                                                                                                                                      • Instruction ID: 3960fa511b4865f74efc3a1c06731c3d54ff9153f04640b32ea7a5b25f51d021
                                                                                                                                                      • Opcode Fuzzy Hash: 3564fa2db7371609cdd66fa5136c7d3143343b5dcd112feb5b770c8709a51a3c
                                                                                                                                                      • Instruction Fuzzy Hash: C411FAB1A002599FCB04DFADD581AAEBBF8FF58704F10806AF905E7351D674EA01CBA4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7d4baaddb8012ede1599c00183d719d32f8a735afb7d5f2bb9e46875d4d1d5c2
                                                                                                                                                      • Instruction ID: c630d2e452eb3106988cbc9cb5cc618abc7f7924c3d8404bf766e34f3d471948
                                                                                                                                                      • Opcode Fuzzy Hash: 7d4baaddb8012ede1599c00183d719d32f8a735afb7d5f2bb9e46875d4d1d5c2
                                                                                                                                                      • Instruction Fuzzy Hash: 5D116D71A0021DEFDB05DF68C850FAF7BB9EB48608F00409DFA119B290DA35ED55CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 21f8d2a7029a7d36e1a091b68c239f3dda4b200f561abc32c36b43d736d22abd
                                                                                                                                                      • Instruction ID: 6d2069f66dd4a9c74be55c29f5a57f33a3e4956b511fe4d25e5634c1ab751e38
                                                                                                                                                      • Opcode Fuzzy Hash: 21f8d2a7029a7d36e1a091b68c239f3dda4b200f561abc32c36b43d736d22abd
                                                                                                                                                      • Instruction Fuzzy Hash: 640171B1201A55BBD2116B6DCD84E57B6ACFF64A58B05012AB50583560DB74EC41C7A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                                                                                      • Instruction ID: 926584591b4561a7be50a2640d48174c81517a07436ae9967855b45674aeb453
                                                                                                                                                      • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                                                                                      • Instruction Fuzzy Hash: C4118B32450B02DFDB329F09C880B22B7F4FB5472AF19886DD5895B5E2C374E880CB10
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0331a79d86a119351e3e1530e1aa7b4195434941887e9b44bd99fc58271930f2
                                                                                                                                                      • Instruction ID: 8adc2b10ea95d82e5e927eea9fa194500294bd54173ceed759609cd7506c5c22
                                                                                                                                                      • Opcode Fuzzy Hash: 0331a79d86a119351e3e1530e1aa7b4195434941887e9b44bd99fc58271930f2
                                                                                                                                                      • Instruction Fuzzy Hash: F01139B16183049FC700DF6DD441A5BBBE8EF98B14F00895FBA58D73A1E630E910CB92
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 02bc3c47b277046675ba5353bfa8ec6ea3656e974c70bf95bdde3ef1f21c0001
                                                                                                                                                      • Instruction ID: 99c7dfbd8b4c2601903684ac3cacad698209e3cca7fa5b2db20a27915bb4ea39
                                                                                                                                                      • Opcode Fuzzy Hash: 02bc3c47b277046675ba5353bfa8ec6ea3656e974c70bf95bdde3ef1f21c0001
                                                                                                                                                      • Instruction Fuzzy Hash: DA015E70A00249EFDB14EF69D851EAEBBB8EF45708F40406ABA10EB280D674DE05CB95
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                      • Instruction ID: 158c874655b60bb87ab3ad35949edb503707cee66577b795241d0f55f7ef64e2
                                                                                                                                                      • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                      • Instruction Fuzzy Hash: C8017632604325DBDB51AA98C808F2E73E9EBD0A38F14815AEE158F7D1CB34DD40C781
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                                                                                      • Instruction ID: 301cb14b9249838e03d8f04a20f0afd6d5b82415d419a7dd81b7f34096affde0
                                                                                                                                                      • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                                                                                      • Instruction Fuzzy Hash: 4401D1B7700615ABCB11DAAEFE04A9F7BACBF88658B040429BA05D7250DE30DE218760
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dbc5134261f72c0633a664dcfe30525cc16a5f646f3ec7700ef21a01b95289b8
                                                                                                                                                      • Instruction ID: f863adaac7d1c3e1d6034bd99046955b1c098b020010384699c3fc6b2f397c08
                                                                                                                                                      • Opcode Fuzzy Hash: dbc5134261f72c0633a664dcfe30525cc16a5f646f3ec7700ef21a01b95289b8
                                                                                                                                                      • Instruction Fuzzy Hash: FE01B171A01209AFCB14DFA9D845FAFBBB8EF44714F00406AB900EB380DA74DE05CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0c129d8da60001a628ee223288adf395d357f864c5b51ea9527b667746a6269c
                                                                                                                                                      • Instruction ID: 244e5ed44395c22b71ca5cdd73f3c2ec76b56bb094ac823c735b153a42198e0f
                                                                                                                                                      • Opcode Fuzzy Hash: 0c129d8da60001a628ee223288adf395d357f864c5b51ea9527b667746a6269c
                                                                                                                                                      • Instruction Fuzzy Hash: 31019271A00209AFCB04DFA9D855EAFBBB8EF54714F00406AB900EB380D674DA04C790
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 38bd72c64d88ba9e3d2610aadcbffebc10385c9bec70f3b782c6fa0badd966fb
                                                                                                                                                      • Instruction ID: 226b66d12d81c8d354a05bda967608b232ae1238a1c54da77922c4588fe173e6
                                                                                                                                                      • Opcode Fuzzy Hash: 38bd72c64d88ba9e3d2610aadcbffebc10385c9bec70f3b782c6fa0badd966fb
                                                                                                                                                      • Instruction Fuzzy Hash: 7E019E71A00209AFCB14DFADD845EAFBBB8EF44714F00406AB910EB381D674EE05CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 905eddf7b84e6a190fa353e6f9b450e67f420e4a27efacaf4f794637d1f1ce1e
                                                                                                                                                      • Instruction ID: c976ad33c9c9da8e6c300cc20d4bde4164bdb56fe8ce422479c3942a71aedc13
                                                                                                                                                      • Opcode Fuzzy Hash: 905eddf7b84e6a190fa353e6f9b450e67f420e4a27efacaf4f794637d1f1ce1e
                                                                                                                                                      • Instruction Fuzzy Hash: 6801D6362043219BCB25CF7D961CA63FFE8FB6D228708012AE509C3B64D236E942C714
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f6c0d02d31189591030c0e66cf96d35f824fa50541cedc8ee1441ac85beb1069
                                                                                                                                                      • Instruction ID: 82b74491c415fc525fb8ec56fd56cba269065c23e748c546d82b029b86a95a14
                                                                                                                                                      • Opcode Fuzzy Hash: f6c0d02d31189591030c0e66cf96d35f824fa50541cedc8ee1441ac85beb1069
                                                                                                                                                      • Instruction Fuzzy Hash: E701F275700509DBCB14EFAAD8149BEBBBCFB94A18B8540BADA01E36A0DF34DC06C750
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2011f5d907848dc316bbfe581d32dbcf7ad13344395c97ff4d829d47836a7658
                                                                                                                                                      • Instruction ID: 5b67a4a8736ea01947a384233e093105e2a1d1c34ee3b891639c4b2a1de3bc1c
                                                                                                                                                      • Opcode Fuzzy Hash: 2011f5d907848dc316bbfe581d32dbcf7ad13344395c97ff4d829d47836a7658
                                                                                                                                                      • Instruction Fuzzy Hash: A1018F71A00219EFDB14EBA9D855FAFBBB8EF94708F00406AFA41EB281D674D905C794
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1b4fd480e5ad8bbd2af6591b96d5ccfcb31118dfc957ad66524bcd230993841d
                                                                                                                                                      • Instruction ID: 2b074859e98914b0e19398b85c4f136e89ac93111d988bdf43dd10d7dbe69efa
                                                                                                                                                      • Opcode Fuzzy Hash: 1b4fd480e5ad8bbd2af6591b96d5ccfcb31118dfc957ad66524bcd230993841d
                                                                                                                                                      • Instruction Fuzzy Hash: A2F0F932641A61A7C731DF5ACC80F977FBDEB84F54F104029A70597A40D674EC01D7A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 32424ff163bc27be55646c896c340229861bf934fe04fe9e63a49af165711675
                                                                                                                                                      • Instruction ID: 24e344af7c300fb00fdd1a24dc9317dde1bb9a26e96c927594b5af3ff2dd0062
                                                                                                                                                      • Opcode Fuzzy Hash: 32424ff163bc27be55646c896c340229861bf934fe04fe9e63a49af165711675
                                                                                                                                                      • Instruction Fuzzy Hash: D6116D74D10259EFCB04EFA9D440AAEBBB4EF18704F14805AB915EB351E634EA02CB54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                      • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                                                                                      • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                      • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7f02792a911fc8191672a8772272986db5d78669c72718bfe57586af7b916933
                                                                                                                                                      • Instruction ID: 1e0ac942ed1bf40ee48794462db621bc45920d2f22721be045c0731d34ee280a
                                                                                                                                                      • Opcode Fuzzy Hash: 7f02792a911fc8191672a8772272986db5d78669c72718bfe57586af7b916933
                                                                                                                                                      • Instruction Fuzzy Hash: 0D11DE70A00249DFDB04DFA9D541BAEFBF4BF08704F1441AAE515EB382D634D941CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                                                                                      • Instruction ID: f44d7a2a3660125524bc666a9cc6701b408bb3bd0285403a33d772c45591c8ad
                                                                                                                                                      • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                                                                                      • Instruction Fuzzy Hash: B8F021732405239BDB3216DD8840F57B999DFD5A68F550035E60DFB640C970CC0297D4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cf54e23293a6b70504735c45db8e263c442c8374bfeb54117660ee7cb27d5099
                                                                                                                                                      • Instruction ID: 02f4b33c36060aecf6bdfaa540eb90a923bc1e69d58f50900871271552020b56
                                                                                                                                                      • Opcode Fuzzy Hash: cf54e23293a6b70504735c45db8e263c442c8374bfeb54117660ee7cb27d5099
                                                                                                                                                      • Instruction Fuzzy Hash: D60100B0E003099FCB04DFADD555AAEBBF4FF08704F00805AA955E7351E674DA44CB51
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 05c18ebb9ff4677dc3b017100c860b9f6d435a0dfb0ce918d8fb44663712aeee
                                                                                                                                                      • Instruction ID: cf7eb9e6b458f3c2fe14ffebca1a8d6803a5d0e4d8724a855426f4171752d568
                                                                                                                                                      • Opcode Fuzzy Hash: 05c18ebb9ff4677dc3b017100c860b9f6d435a0dfb0ce918d8fb44663712aeee
                                                                                                                                                      • Instruction Fuzzy Hash: 07F0C832640691A7D63177E99D58F5B3959FBF0E48F9A042DB3010B6F0DA74DC01C750
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
                                                                                                                                                      • Instruction ID: 596273feae8771c928c0d0e2312a6cb489ac769ae2928fd49f2bf164c01e2ae6
                                                                                                                                                      • Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
                                                                                                                                                      • Instruction Fuzzy Hash: D4F0127210000DBFEF019F94DD81DAF7BBDEB59698B114125FA1096130D731DE21A7A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 74cad7417525d8bc1dc1b50b6f74464c0826697552aa30b7fd64f7310fa64387
                                                                                                                                                      • Instruction ID: b416d3fafbf13c274d5a644250eba7f194ed2923726c7b9ead544114c3c08d57
                                                                                                                                                      • Opcode Fuzzy Hash: 74cad7417525d8bc1dc1b50b6f74464c0826697552aa30b7fd64f7310fa64387
                                                                                                                                                      • Instruction Fuzzy Hash: 21F0A471A10218ABDB04EBBDD815AAEB7B8EF54714F0080AAF611EB290DA74E9058751
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                      • Instruction ID: c3e1cc3b01f01cc254f1529420a21cfeea62f26f848a7d2f0b014d74834d1332
                                                                                                                                                      • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                      • Instruction Fuzzy Hash: 31F04C71B05365ABEB14D7A88845FAFBFE99F80718F044455DE01971C1D630D94182D0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c217713d73d28c823d62d9b2b24112dadb979f3af5f236adf9b1d101fb383384
                                                                                                                                                      • Instruction ID: 650237b9ff9ad4a3bacc1847d9704e44249f372dc78ce2bf4e83e5e424a24032
                                                                                                                                                      • Opcode Fuzzy Hash: c217713d73d28c823d62d9b2b24112dadb979f3af5f236adf9b1d101fb383384
                                                                                                                                                      • Instruction Fuzzy Hash: 01019A36140109ABDF129F84DC40EDA7F66FB4C7A4F068206FE18A6230C632D971EB80
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dd92e32b2d253c4a32e19825b1465ac18f630a9bf55e05f302785ebc25cf2391
                                                                                                                                                      • Instruction ID: 950ac1ebe5938ff317e3ffa141ca56449e98311eff6a6d225ad131a37c582d46
                                                                                                                                                      • Opcode Fuzzy Hash: dd92e32b2d253c4a32e19825b1465ac18f630a9bf55e05f302785ebc25cf2391
                                                                                                                                                      • Instruction Fuzzy Hash: D4F024722843455BF325E61ECD11B63768AE7D171CF65902AEB098F6D1EA71EC018254
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 07df9709f7495f1447ecf51079e35ff96286f1beec7782c80ad6eb1b0004cc2c
                                                                                                                                                      • Instruction ID: d1e9d92558ff0c7cb94fa38c0c37552058d0c7cb79a2944b1abacbdd8f47ee01
                                                                                                                                                      • Opcode Fuzzy Hash: 07df9709f7495f1447ecf51079e35ff96286f1beec7782c80ad6eb1b0004cc2c
                                                                                                                                                      • Instruction Fuzzy Hash: DB01A970340791DBF7269B2CCD4EB3637E9FB20B08F588195FA019B6E2D738D8408610
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                                                                                      • Instruction ID: c2bf802a250dd229bb7bd154cebeba27a3eddd3f2b623edbdeaacc71982d2b75
                                                                                                                                                      • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                                                                                      • Instruction Fuzzy Hash: B7F04F72600208BFE711AB68CC41FDAB7FCEB04714F10456AAA56D7290EA70EE41CB90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 275027c82646c8026ef163070ce04c9f6ff2e460f88b119a6fade6f06f14e951
                                                                                                                                                      • Instruction ID: c7472cc7e3a9966c4fbda4faf5199be2b0eb0ff6dcccc3f860e5475637682e54
                                                                                                                                                      • Opcode Fuzzy Hash: 275027c82646c8026ef163070ce04c9f6ff2e460f88b119a6fade6f06f14e951
                                                                                                                                                      • Instruction Fuzzy Hash: 53F0AF702053049FD714EF28C841A1BBBE4EF98B04F408A5EB9A8DB395E634E900C796
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0b130ccf6dd9bb24af91f8eb9e3c71928e6245942329826cbd710016325f06ba
                                                                                                                                                      • Instruction ID: 6d2e14f1910925c345152afeedc10a966944dbb9606f4525b0cd73fe2ef2a57a
                                                                                                                                                      • Opcode Fuzzy Hash: 0b130ccf6dd9bb24af91f8eb9e3c71928e6245942329826cbd710016325f06ba
                                                                                                                                                      • Instruction Fuzzy Hash: BFF04F74E10209EFDB04EFA9D945AAEBBF4FF18704F50845AB905EB391E674DA00CB54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: da53f2604e5c9ca959dd13e808d7ff3e06f2081051e0d183a3c8af60aeb12ab3
                                                                                                                                                      • Instruction ID: ae0be37cc4a9dcc1d2e83b5e889eb419b37694b9c0dda6209e195f332f68c424
                                                                                                                                                      • Opcode Fuzzy Hash: da53f2604e5c9ca959dd13e808d7ff3e06f2081051e0d183a3c8af60aeb12ab3
                                                                                                                                                      • Instruction Fuzzy Hash: E0F02E32200704ABD731DB08DC04F9BBBFDEF80B08F08011CE542A30A1CAA0F909C760
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                                                                                                                                      • Instruction ID: ada07caa9838e054b69fb7d5144d3149ba4cdbb10c30a579508e6f14ca79261a
                                                                                                                                                      • Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                                                                                                                                      • Instruction Fuzzy Hash: 07F0B472750305AFE318DB25CC49B56B7E9EF9C718F148078A505D71A0FAB1ED01C714
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7460426ea90345c746b13594e582dc298a104ac00b2439258fe882cae4357112
                                                                                                                                                      • Instruction ID: 8b82de0b484ca7509c43c8aa01e342a08f4ad31fabb0f2f73f4148b69123cb38
                                                                                                                                                      • Opcode Fuzzy Hash: 7460426ea90345c746b13594e582dc298a104ac00b2439258fe882cae4357112
                                                                                                                                                      • Instruction Fuzzy Hash: A5F06270A0130DDFCB04EF69C555A5FB7B4EF58704F40805AB915EB395DA34EA01CB50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cfa1a0b4df73b3fd1b09b36f11c84ec46981bce33cf388723b01733671e8b519
                                                                                                                                                      • Instruction ID: 2fabd6f4fb78959fda68c1f5ec936e77817f5bc1daf6ba2044a9e99f8441a3bb
                                                                                                                                                      • Opcode Fuzzy Hash: cfa1a0b4df73b3fd1b09b36f11c84ec46981bce33cf388723b01733671e8b519
                                                                                                                                                      • Instruction Fuzzy Hash: 09F06270A10248EFDB04DFA9D415EAEBBF8AF18708F404059A951EB391D634D904CB54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5fd8f427ad8cde68d0c9780207c0282683b917b27c47a99c896e4124da1d652c
                                                                                                                                                      • Instruction ID: 40d6f58c69f535df0d2bb20ee4cf976d8f531b9a24c1a91eb2561c16c07183f1
                                                                                                                                                      • Opcode Fuzzy Hash: 5fd8f427ad8cde68d0c9780207c0282683b917b27c47a99c896e4124da1d652c
                                                                                                                                                      • Instruction Fuzzy Hash: B3F0F0B15012949EEB22932CC185BE1BBE8DB0366CF08486AC63B8BD13E320D884C659
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                      • Instruction ID: b7ddcf687e85e0a514637c04eb614cd27a8edd433d1a3784c7fc48eb636d9ef7
                                                                                                                                                      • Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                      • Instruction Fuzzy Hash: ADE09232340A41ABE7119E5D9CD8F47BB9E9FD2B14F04047DBA045E141CAE2DD0982A0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bdef7d904255bca83585748e18e12fd1ac1ce6be3cf5d2e6a585c62f0d90ed21
                                                                                                                                                      • Instruction ID: d89f44d20845a0155eed7e7ba427086ab90937215647b823b2e781febcb60e1a
                                                                                                                                                      • Opcode Fuzzy Hash: bdef7d904255bca83585748e18e12fd1ac1ce6be3cf5d2e6a585c62f0d90ed21
                                                                                                                                                      • Instruction Fuzzy Hash: CEF027B15117B1DFEB22A35EC44CB69BBD89B0176CF099165D406875D3C730EC80C684
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f928fb8c9eb420d92fc8a9d0648cddd77ff6637bb1fdb14366b21af637388196
                                                                                                                                                      • Instruction ID: 528c7ce3f70111031cf70b7dae5067b09428848cea9a9f055c839bdbc7545570
                                                                                                                                                      • Opcode Fuzzy Hash: f928fb8c9eb420d92fc8a9d0648cddd77ff6637bb1fdb14366b21af637388196
                                                                                                                                                      • Instruction Fuzzy Hash: 4BF0B832A117A58FDB62A329C048B12B7D8EB08BA4F4D8066D81887A22C330D880C690
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 559d137adfe929df4b780d67b92eb9c3a900b446b715d351b5cbe60e89330087
                                                                                                                                                      • Instruction ID: bf9c4fd63133248247873fb9dc31b33e37b1e83aba6a6c588858540a66db9b19
                                                                                                                                                      • Opcode Fuzzy Hash: 559d137adfe929df4b780d67b92eb9c3a900b446b715d351b5cbe60e89330087
                                                                                                                                                      • Instruction Fuzzy Hash: 54F0E2B0A00209ABDB04EBB9D405E9EBBB8AF08708F004499A601EB281EA34D9018714
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9c2563b1f9914abe173b27bded0a1e689005fa3e81d4478d8ec795fafbd6dae7
                                                                                                                                                      • Instruction ID: 1222b64ba96fa37f897c860732449444b1466d5b579bffa5e357c486929a10f8
                                                                                                                                                      • Opcode Fuzzy Hash: 9c2563b1f9914abe173b27bded0a1e689005fa3e81d4478d8ec795fafbd6dae7
                                                                                                                                                      • Instruction Fuzzy Hash: 2EF08270A10249ABDB04DBADD456A9F77B8EF08708F504099E642EB291D974D905CB18
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: adc28ea938ee82534579c07f5fa0ec96df26bcfeaefc31c988e6cbf02db2b597
                                                                                                                                                      • Instruction ID: 1a9f4b6681bae146f28a47e0354dc133bed274752216ca51a6e197cd675c4cf1
                                                                                                                                                      • Opcode Fuzzy Hash: adc28ea938ee82534579c07f5fa0ec96df26bcfeaefc31c988e6cbf02db2b597
                                                                                                                                                      • Instruction Fuzzy Hash: 64F08270A00248EBDB04DBA9D956A9E77B8AF08708F404099E641EB291D974DD048758
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 931c57d54fe7f48be70e5c2263a0a1480c68f2af05d56268b05a6309eb0c3c29
                                                                                                                                                      • Instruction ID: 302020e8bb722c40573f067eb9bd864d95d6bbb37f185d68d4051db6f38e8390
                                                                                                                                                      • Opcode Fuzzy Hash: 931c57d54fe7f48be70e5c2263a0a1480c68f2af05d56268b05a6309eb0c3c29
                                                                                                                                                      • Instruction Fuzzy Hash: 6DE092726419316BD2215A18EC04FA6779DEBE4A54F0A4439E604D7254DA29DD06C7E0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                      • Instruction ID: 98026a6b95c45bf0a9f41cb17bbcc753a9144b05612aa1f2fe4ba3fe6da1a8d5
                                                                                                                                                      • Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                      • Instruction Fuzzy Hash: F4E0E533140625ABC7211A0EDC04F63BBA8FB90775F00C11AE558635D08A70EC11CAE0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                                                                                      • Instruction ID: 0e47739541ed49b3f42df6e657da7f5d0b886a60ce3889a1d4b28f77fc088c4d
                                                                                                                                                      • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                                                                                      • Instruction Fuzzy Hash: E6E06572210204BBE725EB48DD01FEA73ACEB10B20F140269B625932E0DBB0FE40CA60
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: f38d925ac132d98651c2cdb652b4023b45f55f3383bda2e6f2ab3425330f00f1
                                                                                                                                                      • Instruction ID: 79225a11fd4744d70415b8b58abd24fae28e1a5dd08a636fe69ee97318d9457b
                                                                                                                                                      • Opcode Fuzzy Hash: f38d925ac132d98651c2cdb652b4023b45f55f3383bda2e6f2ab3425330f00f1
                                                                                                                                                      • Instruction Fuzzy Hash: 66E09232100544ABC721BB1DDD41FDBBB99EFA0368F014119F216575A1CA30ED10C7C4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                      • Instruction ID: 20652e3c0bfb9ab1e0abbf3dbe366b914fa8368b60faba8353badb38690e4c47
                                                                                                                                                      • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                      • Instruction Fuzzy Hash: 58E0C231050915EFEB322B28DC00F9276A5FF00B19F2004AFF186064A18BB4EC91DB48
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                      • Instruction ID: 92ee0c3233b7e6412bf0bb1af219e7b05904db23804aab99e42486eb3cdebc15
                                                                                                                                                      • Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                      • Instruction Fuzzy Hash: 70D05E32051620EAD7323F19FD09F96BAB6EF50F18F050528B141264F486B1ED84CA90
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                      • Instruction ID: 90619631003c039acc7c469b26cdac22cbba39acef812e6be97052545378f39d
                                                                                                                                                      • Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                      • Instruction Fuzzy Hash: 39E0EC369506849FDB12DB9DC640F9ABBB5BB84B00F190458A5096B760D634ED40CB40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                      • Instruction ID: 06c11d9b990b1ac49a2c2edec887eb75f0dd16c4ceeecefd1e9839180e113efb
                                                                                                                                                      • Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                      • Instruction Fuzzy Hash: B5D0A932204620ABC732AA1CFC00FC333E8BB88B25F02046AF008C7162C368EC81C680
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                                                                                      • Instruction ID: 5a6b810bf29f3cf171cffcbb976a816c0d950daabe1c07dc9ed4c3325d229c72
                                                                                                                                                      • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                                                                                      • Instruction Fuzzy Hash: B0D0123324607197DB39A659A914FA77959EB91A58F5A006D790A93900C5148C42D6E0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                                                                                                                                      • Instruction ID: 154b10511e902512424e6a0bb4dd91886121e8269088321073fc3bc25c1c708d
                                                                                                                                                      • Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                                                                                                                                      • Instruction Fuzzy Hash: E5D012371D054DBBCB119F65DC01F957BA9E7A4B60F048020B504875A0CA3AE950D684
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                      • Instruction ID: 6a82f82cf924bee647b39db298ef96f3083de048a4b6bea34890ae46e28ca9b9
                                                                                                                                                      • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                      • Instruction Fuzzy Hash: F1D0E93A352E80DFD65BCB1DC994B1673A4BB44F84F854494E901CB766D77CD944CA04
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                      • Instruction ID: 65896d28f8c13fecb2c0dbc674c34862a00b8ed68b32c1271e614b940cfe640e
                                                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                      • Instruction Fuzzy Hash: F2D0123710024CEFCB05DF84D854D5A772AFFD8B10F108019FD19076108A31ED62DA50
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                                                                                      • Instruction ID: 6b120457aef4591999b609363089fd87c42ba2db80ebdd5df5d7e2d5d5d81842
                                                                                                                                                      • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                                                                                      • Instruction Fuzzy Hash: FFC08CB21412806BEB2B5B28EA10B283A54BB00F0DF84019CEA001E5A2CB6ADC018308
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5a76f43673c984a86c443338df558dd14397e0cfd34f5fe83e72a06734b7e60d
                                                                                                                                                      • Instruction ID: 3754eaa7a75e4959bfd423e4684cbd189103657936180aa019bf4fdba9873520
                                                                                                                                                      • Opcode Fuzzy Hash: 5a76f43673c984a86c443338df558dd14397e0cfd34f5fe83e72a06734b7e60d
                                                                                                                                                      • Instruction Fuzzy Hash: B4900232A0580112954171595A845464005A7E0301B51C426E0414559CCB348A566361
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3c8abe47f924ac55b89a91541808ad3dc0dbbbf4c223e629259cb134dee1e296
                                                                                                                                                      • Instruction ID: 2f4c9c6ea4573f9e410029d9ea212ba3c2c1c3c675dc3777db9e49944bbbfcbb
                                                                                                                                                      • Opcode Fuzzy Hash: 3c8abe47f924ac55b89a91541808ad3dc0dbbbf4c223e629259cb134dee1e296
                                                                                                                                                      • Instruction Fuzzy Hash: DB900262A0150142454171595A044066005A7E1301391C52AA0544565CC7388955A269
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7df2de9bc5ac1855ef373dff1f81dd1cbe770a144880f4cf4ce19c6d688e86d0
                                                                                                                                                      • Instruction ID: 24d2f67e580d86043c2ba486555253abe9d9939ba090d8bb39e3a957e12ceb77
                                                                                                                                                      • Opcode Fuzzy Hash: 7df2de9bc5ac1855ef373dff1f81dd1cbe770a144880f4cf4ce19c6d688e86d0
                                                                                                                                                      • Instruction Fuzzy Hash: B1900437711401030507F55D17045070047D7D5351351C437F1005555CD731CD717131
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6234a8fbc63120369c8c12953eb1aefe9b5572ef19ae303a3fca30769143313d
                                                                                                                                                      • Instruction ID: 27f3f7fa83f3f0804a14bf54de16fc37ce323f06e2c3f285f24d044d0f907ce4
                                                                                                                                                      • Opcode Fuzzy Hash: 6234a8fbc63120369c8c12953eb1aefe9b5572ef19ae303a3fca30769143313d
                                                                                                                                                      • Instruction Fuzzy Hash: 599002A2601541924901B2599604B0A450597E0301B51C42BE1044565CC6358951A135
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 15fd5406311af1f9cd545f2e8b56a01a7f65399c5b145d37c3fa88506dc936b3
                                                                                                                                                      • Instruction ID: efda9bf73841987faf03d96bdfc53d09e23ee31db162eb1f5ed5fd7498352d0e
                                                                                                                                                      • Opcode Fuzzy Hash: 15fd5406311af1f9cd545f2e8b56a01a7f65399c5b145d37c3fa88506dc936b3
                                                                                                                                                      • Instruction Fuzzy Hash: E690022264545202D551715D56046164005B7E0301F51C436A0804599DC67589557221
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d61cf15b202f48f896ad284beb365b1f255bae7f703eb8e1e3d3c375017b0aef
                                                                                                                                                      • Instruction ID: 5286086911b5b0d56804df8c7bd0a07a1e7aec003499b8276808060df9332848
                                                                                                                                                      • Opcode Fuzzy Hash: d61cf15b202f48f896ad284beb365b1f255bae7f703eb8e1e3d3c375017b0aef
                                                                                                                                                      • Instruction Fuzzy Hash: AC90023260140902D5817159560464A000597D1301F91C42AA0015659DCB358B5977A1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 543443fd063da0a46021e4a3b2509273930cfc37d74fc79b936e226d66c2991f
                                                                                                                                                      • Instruction ID: 7b9f9534449c759078a80dd27cabf6d10734906ee7bf8d9b016e6ed576ad3cae
                                                                                                                                                      • Opcode Fuzzy Hash: 543443fd063da0a46021e4a3b2509273930cfc37d74fc79b936e226d66c2991f
                                                                                                                                                      • Instruction Fuzzy Hash: 9B90023260544942D54171595604A46001597D0305F51C426A0054699DD7358E55B661
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 692f66099984f8ab265ddb88e006ef67d0d1ac19719801f448ef770a553190aa
                                                                                                                                                      • Instruction ID: a3e3f79a2d804a5e2519329a808fe2c4ef4fc34eedb77470b74bcf62793b25ad
                                                                                                                                                      • Opcode Fuzzy Hash: 692f66099984f8ab265ddb88e006ef67d0d1ac19719801f448ef770a553190aa
                                                                                                                                                      • Instruction Fuzzy Hash: D090023260140942D50171595604B46000597E0301F51C42BA0114659DC735C9517521
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7199fff9204772b78dae40fad4ab89b2c6799c6dd7969fe0a40eaa68d83b38c2
                                                                                                                                                      • Instruction ID: 5335867fa7ac227253b7195333932ab86351bd0c8c933f0c075b4143215c66fe
                                                                                                                                                      • Opcode Fuzzy Hash: 7199fff9204772b78dae40fad4ab89b2c6799c6dd7969fe0a40eaa68d83b38c2
                                                                                                                                                      • Instruction Fuzzy Hash: 60900222A0540502D54171596618706001597D0301F51D426A0014559DC7798B5576A1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0d72e85ce232e180d39c63b90d05e987e281dd8979f2234a0ba8849fdf5b1b18
                                                                                                                                                      • Instruction ID: 5bd98b99a52ca7ecc9ff73c587154081f3c097605fcdde3ce69c46013edd24ec
                                                                                                                                                      • Opcode Fuzzy Hash: 0d72e85ce232e180d39c63b90d05e987e281dd8979f2234a0ba8849fdf5b1b18
                                                                                                                                                      • Instruction Fuzzy Hash: A1900226621401020546B559170450B0445A7D6351391C42AF1406595CC73189656321
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: df2aa6cce93c09746895d1bd5df3b09a9bd0d728f3df2473fa995e0b5561307b
                                                                                                                                                      • Instruction ID: 4f34bc48e17414a1fccb9906d98809745fcbab934590f76b6b8c34b5ffa19cf5
                                                                                                                                                      • Opcode Fuzzy Hash: df2aa6cce93c09746895d1bd5df3b09a9bd0d728f3df2473fa995e0b5561307b
                                                                                                                                                      • Instruction Fuzzy Hash: BD90023260140902D50571595A04686000597D0301F51C426A601465AED77589917131
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e3e39d6ea71563c79d5a09ec20867a4bd3c7333cc6dfdb03234c3b963a9af2de
                                                                                                                                                      • Instruction ID: ed1babc57afb383d167c959e9a2f7c94b7ec67e4eb97e7264a0ba2f7f2353c83
                                                                                                                                                      • Opcode Fuzzy Hash: e3e39d6ea71563c79d5a09ec20867a4bd3c7333cc6dfdb03234c3b963a9af2de
                                                                                                                                                      • Instruction Fuzzy Hash: EB900232A0540902D55171595614746000597D0301F51C426A0014659DC7758B5576A1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cbab9455caaf14fb9beddd3d86067a866cbb27590086a677e961a23f58555003
                                                                                                                                                      • Instruction ID: 77f84b338f0e095b8da3b82d5008f1356f8b5ae01ef621c9a450346c4d061fe7
                                                                                                                                                      • Opcode Fuzzy Hash: cbab9455caaf14fb9beddd3d86067a866cbb27590086a677e961a23f58555003
                                                                                                                                                      • Instruction Fuzzy Hash: EC90022270140502D503715956146060009D7D1345F91C427E141455ADC7358A53B132
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 639fc831762667ae1e00e54ce4a86739fa4da30f598bef4dff8618be9dbf821f
                                                                                                                                                      • Instruction ID: 778d88e747b7555461f0e89c19fbd76cfdc3f3a7a7c4c4b73f3e361a3e69bd90
                                                                                                                                                      • Opcode Fuzzy Hash: 639fc831762667ae1e00e54ce4a86739fa4da30f598bef4dff8618be9dbf821f
                                                                                                                                                      • Instruction Fuzzy Hash: C5900222A0140602D50271595604616000A97D0341F91C437A101455AECB358A92B131
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 45652b973d73cf0ec0c5b896d5c87929d522af5039fb8122d155fb29e3f6bc7b
                                                                                                                                                      • Instruction ID: c128dc8953e9c36ae2e0473b9bb59a4fd911643ed5321e1b0e401893be010705
                                                                                                                                                      • Opcode Fuzzy Hash: 45652b973d73cf0ec0c5b896d5c87929d522af5039fb8122d155fb29e3f6bc7b
                                                                                                                                                      • Instruction Fuzzy Hash: 8990027260140502D54171595604746000597D0301F51C426A5054559EC7798ED57665
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e86c1b076a8f400190f9951aa3f5d82d7095a7da5ab3c2050ad8295ce91f14e5
                                                                                                                                                      • Instruction ID: 281c3e769eb50ba9b927551a343afc08cf3a4350597ccbc1faf738d0d496f6fa
                                                                                                                                                      • Opcode Fuzzy Hash: e86c1b076a8f400190f9951aa3f5d82d7095a7da5ab3c2050ad8295ce91f14e5
                                                                                                                                                      • Instruction Fuzzy Hash: 7F90022A61340102D5817159660860A000597D1302F91D82AA000555DCCA3589696321
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 80411b9ded0bf9dc22ba85c940a74fcb7de5a43c6ae0968395f2ba1b3b36a2ff
                                                                                                                                                      • Instruction ID: 30f3ebdfc67c4307e1450b9ea97bc0ff80ec5729591be07688f43e6d9151a4c3
                                                                                                                                                      • Opcode Fuzzy Hash: 80411b9ded0bf9dc22ba85c940a74fcb7de5a43c6ae0968395f2ba1b3b36a2ff
                                                                                                                                                      • Instruction Fuzzy Hash: 2F90023260240242994172596A04A4E410597E1302B91D82AA0005559CCA3489616221
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0ece1dd4aeebcc7cad3f857ae111ea09311c53917eed8a1c21cab60c23d3284e
                                                                                                                                                      • Instruction ID: 1fbc7a3bd34fb089ead8e5a3f7970382cc8b9fba52ac9d1cf3356476dbf5d73c
                                                                                                                                                      • Opcode Fuzzy Hash: 0ece1dd4aeebcc7cad3f857ae111ea09311c53917eed8a1c21cab60c23d3284e
                                                                                                                                                      • Instruction Fuzzy Hash: ED90022260544542D50175596608A06000597D0305F51D426A105459ADC7358951B131
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 88a03dd8274fbce579da685daaf358837377ba3c942bfbfdeb1d80e73316b931
                                                                                                                                                      • Instruction ID: ca1844fcf9484a63bcb4ef2fcbc786285f0f085ea52407fa4a2a23ffab68f977
                                                                                                                                                      • Opcode Fuzzy Hash: 88a03dd8274fbce579da685daaf358837377ba3c942bfbfdeb1d80e73316b931
                                                                                                                                                      • Instruction Fuzzy Hash: 5990023260140503D50171596708707000597D0301F51D826A041455DDD77689517121
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 143bcec7e97c7a237be9ddfc6bb6d912217a21caf075aca819c9d04bf898d072
                                                                                                                                                      • Instruction ID: 3a01aba9e135e5c1b3640c5f7c9a93bcd0450b01fc7b7dd7252a025bf95d897d
                                                                                                                                                      • Opcode Fuzzy Hash: 143bcec7e97c7a237be9ddfc6bb6d912217a21caf075aca819c9d04bf898d072
                                                                                                                                                      • Instruction Fuzzy Hash: 9290022270140103D541715966186064005E7E1301F51D426E0404559CDA3589566222
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 05ba226fad79dc0423da7cb99e08206a27c79b0cb038c95ea2dea2a3ec8b86f9
                                                                                                                                                      • Instruction ID: cae209a32ce03b63d14c87d2af1be1c5dc13419677e3cb225becc5e2fdde2859
                                                                                                                                                      • Opcode Fuzzy Hash: 05ba226fad79dc0423da7cb99e08206a27c79b0cb038c95ea2dea2a3ec8b86f9
                                                                                                                                                      • Instruction Fuzzy Hash: C290023660140502D91171596A04646004697D0301F51D826A041455DDC77489A1B121
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4dff1dacee4deb7ef9b6ca919f68ba0703837f136eab702d1951990f864a6b58
                                                                                                                                                      • Instruction ID: 62a1da94ad7715bdce0f9adb58d7ad0f6e184e15c91745268ddf1a3d051bba9e
                                                                                                                                                      • Opcode Fuzzy Hash: 4dff1dacee4deb7ef9b6ca919f68ba0703837f136eab702d1951990f864a6b58
                                                                                                                                                      • Instruction Fuzzy Hash: 3C900222642442525946B15956045074006A7E0341791C427A1404955CC6369956E621
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ec625963ed284e77b6e69d75b4dbf71e9e724956b71741b04c52a8bcc4d766dc
                                                                                                                                                      • Instruction ID: 7043225c3737b8a16a99756a66f1f4b972f6749f7c199da7f7feb5a1d47e4189
                                                                                                                                                      • Opcode Fuzzy Hash: ec625963ed284e77b6e69d75b4dbf71e9e724956b71741b04c52a8bcc4d766dc
                                                                                                                                                      • Instruction Fuzzy Hash: 1190023264140502D542715956046060009A7D0341F91C427A0414559EC7758B56BA61
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: def50fa1c6e09e606bf12fb067a6df98cc38c073584814e15720f4eddf210c5a
                                                                                                                                                      • Instruction ID: ade2423dad995fc0e2d5cc478bab9938b65fad3fbe3169a3c96a56c0d3d74260
                                                                                                                                                      • Opcode Fuzzy Hash: def50fa1c6e09e606bf12fb067a6df98cc38c073584814e15720f4eddf210c5a
                                                                                                                                                      • Instruction Fuzzy Hash: 9C90022260184542D54172595A04B0F410597E1302F91C42EA4146559CCA3589556721
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3f6dd7c667c3bdd91895924249d73d5d3f97ec11bf7a7fde72fcb4b55432c25e
                                                                                                                                                      • Instruction ID: e6558f9953473c348313ce03858c28e1ca9a5e6529cacb8f5ef09c392baafc87
                                                                                                                                                      • Opcode Fuzzy Hash: 3f6dd7c667c3bdd91895924249d73d5d3f97ec11bf7a7fde72fcb4b55432c25e
                                                                                                                                                      • Instruction Fuzzy Hash: 59900222611C0142D60175695E14B07000597D0303F51C52AA0144559CCA3589616521
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 31b492eba0e28376e8f120b629397949828976dea7de3869b92be0a565f272d1
                                                                                                                                                      • Instruction ID: 0e0f7e8c07384467d8af3393812453aec3e23a83cf07639c39d46313d556ae41
                                                                                                                                                      • Opcode Fuzzy Hash: 31b492eba0e28376e8f120b629397949828976dea7de3869b92be0a565f272d1
                                                                                                                                                      • Instruction Fuzzy Hash: 6590022264140902D541715996147070006D7D0701F51C426A0014559DC7368A6576B1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ae94d1bf1a406736226517d573a02b8e95123f0b16763d68d868f1ebfcc6b3df
                                                                                                                                                      • Instruction ID: 636f5a82bdb9ea00c3ff62ec8fbcd8a5d45d4a567e114d9395202e3552918314
                                                                                                                                                      • Opcode Fuzzy Hash: ae94d1bf1a406736226517d573a02b8e95123f0b16763d68d868f1ebfcc6b3df
                                                                                                                                                      • Instruction Fuzzy Hash: 3990026260180503D54175595A04607000597D0302F51C426A205455AECB398D517135
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 766ae0d9a88cc86c968f5ccd2a121e8dde89f5c49d4c2ec4bb474076aba575c5
                                                                                                                                                      • Instruction ID: cbfabf11072db6b8197d4b0be4ff197ac604bf94062c3ec49a112115f01ef7a1
                                                                                                                                                      • Opcode Fuzzy Hash: 766ae0d9a88cc86c968f5ccd2a121e8dde89f5c49d4c2ec4bb474076aba575c5
                                                                                                                                                      • Instruction Fuzzy Hash: 8F90026274140542D50171595614B060005D7E1301F51C42AE1054559DC739CD527126
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 19b480ecf9b674bdb320564acf43181635106a59ac03ef875c3a7543f56e973c
                                                                                                                                                      • Instruction ID: 62ccaef65c3a31658b6a2c9051e81c3a278968451b79bcf38cfdbfabcfbb160f
                                                                                                                                                      • Opcode Fuzzy Hash: 19b480ecf9b674bdb320564acf43181635106a59ac03ef875c3a7543f56e973c
                                                                                                                                                      • Instruction Fuzzy Hash: E490026261140142D50571595604706004597E1301F51C427A2144559CC6398D616125
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 792fc402216884731fa1ba10b1d1db6ceb65bd8acac17fd4e8d5d3ceab97252d
                                                                                                                                                      • Instruction ID: c4da656eec17d4a73635b238b78c72d2031f20982db1a37cbeeec44d2f214ea5
                                                                                                                                                      • Opcode Fuzzy Hash: 792fc402216884731fa1ba10b1d1db6ceb65bd8acac17fd4e8d5d3ceab97252d
                                                                                                                                                      • Instruction Fuzzy Hash: AD900222A0140142454171699A449064005BBE1311751C536A0988555DC67989656665
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6e86c1e9a230d8210be37b6d00fd7a99de35fe92f6735b0edd1a5ecf435d8f37
                                                                                                                                                      • Instruction ID: 0e5a74688328c4ca321cdb45ca14399d50a672d830add29d407bdffe41bd5049
                                                                                                                                                      • Opcode Fuzzy Hash: 6e86c1e9a230d8210be37b6d00fd7a99de35fe92f6735b0edd1a5ecf435d8f37
                                                                                                                                                      • Instruction Fuzzy Hash: 5090023260180502D50171595A08747000597D0302F51C426A515455AEC775C9917531
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                      • Instruction ID: 460090df2f4969e08204477fe00ccb76021e563b05be0c414b21ee48f31b134f
                                                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                      Strings
                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01424460
                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0142454D
                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01424592
                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01424530
                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01424507
                                                                                                                                                      • ExecuteOptions, xrefs: 014244AB
                                                                                                                                                      • Execute=1, xrefs: 0142451E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                      • Opcode ID: 5c89cf9b7040456e1886cbd3f530e51c82292ed976feb760e47e517f18c45375
                                                                                                                                                      • Instruction ID: 63619ea43f2ff30bcb0e8186a5c831025e57d0b41a96b49a03cd39ad83d6bfaa
                                                                                                                                                      • Opcode Fuzzy Hash: 5c89cf9b7040456e1886cbd3f530e51c82292ed976feb760e47e517f18c45375
                                                                                                                                                      • Instruction Fuzzy Hash: 52511D3160036ABAEF119B99DC99FBD77E8EF1831CF0404ADD605A71D1E7709A418F94
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_1380000_TaojCblZKXL9OpS.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: $$@
                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                      • Opcode ID: 14f861eec29b134079df2a888e133196c1c6b633eaf6aac7504ddba914beb160
                                                                                                                                                      • Instruction ID: a78c899f655b312d546a43fc8e67509c15c509b05156387971f95e087b1ec83f
                                                                                                                                                      • Opcode Fuzzy Hash: 14f861eec29b134079df2a888e133196c1c6b633eaf6aac7504ddba914beb160
                                                                                                                                                      • Instruction Fuzzy Hash: BE811CB1D002699BDB35CF54CC44BEEBBB8AB48714F1441EAEA09B7250E7705E85CFA1

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:0.1%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:9
                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                      execution_graph 81169 498f238 81170 498f24d 81169->81170 81171 498f26a NtQueryInformationProcess 81170->81171 81172 498f2a4 81171->81172 81173 4c62a80 LdrInitializeThunk 81178 4c62b20 81180 4c62b2a 81178->81180 81181 4c62b31 81180->81181 81182 4c62b3f LdrInitializeThunk 81180->81182

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 0498F289
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767258841.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4980000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                      • String ID: 0
                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                      • Opcode ID: af41dac090d7e33cafeb00a8100c06adea689bd6fff083549d0dded4d0c76fcc
                                                                                                                                                      • Instruction ID: 62e351f0506420224577732f2281ee03aa51a91fa5fd1275666d256e04c64ba3
                                                                                                                                                      • Opcode Fuzzy Hash: af41dac090d7e33cafeb00a8100c06adea689bd6fff083549d0dded4d0c76fcc
                                                                                                                                                      • Instruction Fuzzy Hash: ABE12874618A8C8BDFA5EF68C8956EE77E0FB94308F00462ED94AC7244DF34A645CB42

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 122 4c62cf0-4c62cfc LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 5c6dc34a335919d6eb3e5f27e18d2148d8ed857e02496085d775ff4a3bdb3915
                                                                                                                                                      • Instruction ID: 8756bccbe6b1765635affdb393941e28657ca5acee247973482bfa513039d7f3
                                                                                                                                                      • Opcode Fuzzy Hash: 5c6dc34a335919d6eb3e5f27e18d2148d8ed857e02496085d775ff4a3bdb3915
                                                                                                                                                      • Instruction Fuzzy Hash: 06900261242041537A45B1584508507400797E0289791C416A2505954CD53AE856E631

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 121 4c62c30-4c62c3c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 269b1754be509aec294c2a5ad4faaddf08ea58e586ad1da8645d13f0d6d7a83b
                                                                                                                                                      • Instruction ID: 01e5540925e36b7327cc73f688ea2932b2f9d9fc53d92adc066af75d969588df
                                                                                                                                                      • Opcode Fuzzy Hash: 269b1754be509aec294c2a5ad4faaddf08ea58e586ad1da8645d13f0d6d7a83b
                                                                                                                                                      • Instruction Fuzzy Hash: 9790026921300003F6807158550C60A000687D124AF91D819A110655CCD929D8696331

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 123 4c62d10-4c62d1c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: c7edaaef8b94c6601a0b3b27dd5a917dd3d1649b4e1b771d792be2bc03c5e55c
                                                                                                                                                      • Instruction ID: 6960c608aafcaef020c087dfb0783162fcadef967e695c65cf77fc3948916ad3
                                                                                                                                                      • Opcode Fuzzy Hash: c7edaaef8b94c6601a0b3b27dd5a917dd3d1649b4e1b771d792be2bc03c5e55c
                                                                                                                                                      • Instruction Fuzzy Hash: 0390027120100413F61171584608707000A87D0289F91C816A151555CDE66AD952B131

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 124 4c62e50-4c62e5c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 6e2d85f1d447deea885e7d30477e8446fc2a47669e5b6cf8feda3411aaedad59
                                                                                                                                                      • Instruction ID: 05b86f102f09a53f0899668f98d0604e15a03bbb46bb5fd28c351581f9a5ed4a
                                                                                                                                                      • Opcode Fuzzy Hash: 6e2d85f1d447deea885e7d30477e8446fc2a47669e5b6cf8feda3411aaedad59
                                                                                                                                                      • Instruction Fuzzy Hash: 929002A134100443F60071584518B060006C7E1349F51C419E2155558DD62DDC527136

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 115 4c62a80-4c62a8c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: ebd1777765d15d033ca5f89dfc86b0e2c203b133fd1b7faa7f53979de78a5ae6
                                                                                                                                                      • Instruction ID: e27218973402d2160f6b28ec351d485abe9dd089ed68af6918c828074ef670c7
                                                                                                                                                      • Opcode Fuzzy Hash: ebd1777765d15d033ca5f89dfc86b0e2c203b133fd1b7faa7f53979de78a5ae6
                                                                                                                                                      • Instruction Fuzzy Hash: FF9002A120200003660571584518616400B87E0249B51C425E2105594DD539D8917135

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 120 4c62bc0-4c62bcc LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 33527d4dc9fc614931aec729b0084955a4bf663212bdc30669d8a5b62962a78b
                                                                                                                                                      • Instruction ID: fac439b754e9605ce445ea7dcfb09e3935ea542dd15fd73e4ec7f1fac7de3bc9
                                                                                                                                                      • Opcode Fuzzy Hash: 33527d4dc9fc614931aec729b0084955a4bf663212bdc30669d8a5b62962a78b
                                                                                                                                                      • Instruction Fuzzy Hash: D690027120100403F6007598550C646000687E0349F51D415A6115559ED679D8917131

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 118 4c62b80-4c62b8c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: e5c61245a63a928089d975c4adb50adaf597daa68ed73c10866362a2e04d2226
                                                                                                                                                      • Instruction ID: d37fde42d6e308a1ea889fd09d744752f66dcb187cf47a438c7077de6f91e17a
                                                                                                                                                      • Opcode Fuzzy Hash: e5c61245a63a928089d975c4adb50adaf597daa68ed73c10866362a2e04d2226
                                                                                                                                                      • Instruction Fuzzy Hash: F090027120100843F60071584508B46000687E0349F51C41AA1215658DD629D8517531

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 119 4c62b90-4c62b9c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: cfa892130e552ab845048417f78a51fab97f2b752b6068f5c2aaee6d601dbcc6
                                                                                                                                                      • Instruction ID: 3501f5a128e9b60c6f912181f10e279a79a74530453263263ef7d3b7250672bf
                                                                                                                                                      • Opcode Fuzzy Hash: cfa892130e552ab845048417f78a51fab97f2b752b6068f5c2aaee6d601dbcc6
                                                                                                                                                      • Instruction Fuzzy Hash: 1090027120108803F6107158850874A000687D0349F55C815A551565CDD6A9D8917131

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 116 4c62b00-4c62b0c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: d4d6100017d9e223ed18f57a1735e859d3cf0ffad62e8fecc65a845699364d3e
                                                                                                                                                      • Instruction ID: 5c026be0a02a9394f9ab3d7604f736b636cce243bea135d2099c1c76d5e694ce
                                                                                                                                                      • Opcode Fuzzy Hash: d4d6100017d9e223ed18f57a1735e859d3cf0ffad62e8fecc65a845699364d3e
                                                                                                                                                      • Instruction Fuzzy Hash: B690027120504843F64071584508A46001687D034DF51C415A1155698DE639DD55B671

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 117 4c62b10-4c62b1c LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: f74ff75236034dcdd39322151f34935403b06097fdf54d28c3feb944a0d3d37f
                                                                                                                                                      • Instruction ID: 51cbb89050e82a795f995e6abd0f3e691b61bbc0aaa1267d06057249603a13e8
                                                                                                                                                      • Opcode Fuzzy Hash: f74ff75236034dcdd39322151f34935403b06097fdf54d28c3feb944a0d3d37f
                                                                                                                                                      • Instruction Fuzzy Hash: 4890027120100803F6807158450864A000687D1349F91C419A1116658DDA29DA5977B1

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 125 4c634e0-4c634ec LdrInitializeThunk
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: b7b72d523a7b41913a72f37a52d59ee8065a31e61fa968036d78d6b1a8403f95
                                                                                                                                                      • Instruction ID: ec6f28914aa215fb4e778b29974457bdc30966aee74381e799af786bb14be6f7
                                                                                                                                                      • Opcode Fuzzy Hash: b7b72d523a7b41913a72f37a52d59ee8065a31e61fa968036d78d6b1a8403f95
                                                                                                                                                      • Instruction Fuzzy Hash: 0E90027160510403F60071584618706100687D0249F61C815A151556CDD7A9D95175B2

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 111 4c62b2a-4c62b2f 112 4c62b31-4c62b38 111->112 113 4c62b3f-4c62b46 LdrInitializeThunk 111->113
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                      • Opcode ID: 0eb1a19b65357ddf71f62cd63efe9be0a167b87c2054bb18c8f6490f606a34ed
                                                                                                                                                      • Instruction ID: 4948d3d8c940e6c5708bea2b5cd502b5261dd925f248e8e9b4df3116b365fbd2
                                                                                                                                                      • Opcode Fuzzy Hash: 0eb1a19b65357ddf71f62cd63efe9be0a167b87c2054bb18c8f6490f606a34ed
                                                                                                                                                      • Instruction Fuzzy Hash: 9BB092B29024C5CAFB11FB604B0CB1B7A06ABD0749F26C4A6E3570685E873CE191F276
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767258841.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4980000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 91124ed8d635993bab3906c96ed33d8b4d056ad5cfb69857b361c0c87084c139
                                                                                                                                                      • Instruction ID: 5df682048f23520b5e2c3e092041822ca1a34dff3e834e05da5039c9fde64448
                                                                                                                                                      • Opcode Fuzzy Hash: 91124ed8d635993bab3906c96ed33d8b4d056ad5cfb69857b361c0c87084c139
                                                                                                                                                      • Instruction Fuzzy Hash: 6041C271608B094FD768FF6D908167AB2E6FB86314F51063DD88AC3252EB74F84A8785
                                                                                                                                                      Strings
                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C94460
                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C9454D
                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C94592
                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C94530
                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C94507
                                                                                                                                                      • ExecuteOptions, xrefs: 04C944AB
                                                                                                                                                      • Execute=1, xrefs: 04C9451E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                      • Opcode ID: 34589b4091125d9dc3127588f014b2bc704467f5bea772bcf479711c65601dd5
                                                                                                                                                      • Instruction ID: a253c554dc5737d2078e05f06d157fd737e563ce7213044544a1f4cc3f0f9b4f
                                                                                                                                                      • Opcode Fuzzy Hash: 34589b4091125d9dc3127588f014b2bc704467f5bea772bcf479711c65601dd5
                                                                                                                                                      • Instruction Fuzzy Hash: 7151F9316412197AEF14AEA5DC99FAD73AAEF04304F4404E9E905A7190EA70BFC19F58
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      • Associated: 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_9_2_4bf0000_cleanmgr.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: $$@
                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                      • Opcode ID: 09b34917f495c5eac81241b3d7ba83822b8ae779043e604435a479638d87897d
                                                                                                                                                      • Instruction ID: a1f017c81988327ecc7f70a8e32b318a34820f49961225ccfac967b375281160
                                                                                                                                                      • Opcode Fuzzy Hash: 09b34917f495c5eac81241b3d7ba83822b8ae779043e604435a479638d87897d
                                                                                                                                                      • Instruction Fuzzy Hash: 43815DB1D002699BDB31DF54CD44BEEB6B9AF48704F0041EAE90AB7250E770AE80DF61